topic Static NAT for outside access not working... in Network Security

Static NAT for outside access not working...

remitprosupport — Mon, 11 Mar 2019 21:27:40 GMT

Hello all. I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.

The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:

4 Sep 20 2011 16:20:33 fw_outside_ip 62678 outside_host 2001 Deny tcp src outside:outside_host_ip/62678 dst inside_host:inside_host_ip/2001 by access-group "outside_access_in" [0x0, 0x0]

When I try to use the packet tracer to simulate the outside traffic, I get the following

5 Sep 20 2011 16:17:41 inside_host 2001 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:outside_host/1065 dst inside_int:inside_host/2001 denied due to NAT reverse path failure

I've got over my NAT statement and access rule and can't find anything wrong with either. If someone could take a look I'd appreciate it...

Here are the pertinent NAT and access rule...

static (inside_int,outside) tcp interface 2001 inside_host 2001 netmask 255.255.255.255

access-list outside_access_in extended permit tcp host outside_host host inside_host eq 2001

Thanks!

Re: Static NAT for outside access not working...

Julio Carvajal — Tue, 20 Sep 2011 21:52:40 GMT

Hello Daniel,

As I can see you are running a version older than 8.3, So in this case you will need to point the Public Ip ( The natted one ) address on the ACL.

So if the Ip adddress of the interface is 31.31.31.31 the ACL should be:

access-list outside_access_in extended permit tcp host outside_host host 31.31.31.31 eq 2001

Access-group outside_access_in in interface outside

I think this is going to solve your problem, Please let me know if you need anything else

Best Regards,

Julio

Static NAT for outside access not working...

remitprosupport — Wed, 21 Sep 2011 00:48:08 GMT

Thanks for the reply Julio. I tried changing the destination IP address in the ACL from my inside host to that of the external IP address of the firewall in the ACL and I still get the same denial message. Do you have any other suggestions?

Thanks!

Static NAT for outside access not working...

Julio Carvajal — Wed, 21 Sep 2011 00:51:09 GMT

Hello Daniel,

Is it possible that you can post the configuration, and the source Ip address and the destination Ip address of this traffic in order to take a deeper look into this issue,

Regards

Julio

Static NAT for outside access not working...

remitprosupport — Wed, 21 Sep 2011 15:07:49 GMT

Julio,

Thanks again for your reply. Because this was time-sensitive, I opened a TAC with Cisco and they were able to resolve the issue. As you pointed out, the access rule on the outside interface needed to allow access to the outside interface itself. I was adding the outside interface's IP address through ASDM, which did not work. The Cisco tech added the outside IP address through the CLI, which then showed up in ASDM as the interface by name (outside) instead of IP. I'm not sure yet if specifying it by name in ASDM when adding the rule would have had the same effect, but I'll have to test that.

Your help is greatly appreciated...

Static NAT for outside access not working...

Julio Carvajal — Wed, 21 Sep 2011 16:05:53 GMT

Hello Daniel,

I am glad that now everything is working, as I assumed the problem was the Access-list.

Any other question I will be more than glad to help

Have a great Day,

Julio