topic destination NAT problem in Network Security

destination NAT problem

yeharold94@gmail.com — Fri, 21 Feb 2020 17:16:09 GMT

I am having a wired issue, I am trying to put my DMZ VM to outside do 1:1 NAT.

It can not hit the NAT rule. For internal, the server is working fine. I disable the firewall of VM already.

for the external, I put myself computer on the public IP address. and that IP is working fine without the FW.

Does anyone have any idea how to troubleshoot this problem?

nat (DMZ,outside) source static stoneraft-linux stoneraft-out

access-list 103 extended permit tcp any object stoneraft-linux

object network stoneraft-linux
 host 192.168.27.137

object network stoneraft-out
 host 8.8.8.8

Re: destination NAT problem

Rob Ingram — Tue, 02 Jul 2019 19:10:16 GMT

Hi,

Static NAT example:-

object network stoneraft-linux
 host 192.168.27.137
 nat (dmz,outside) static 8.8.8.8

access-list 103 extended permit tcp any host 192.168.27.137

HTH

Re: destination NAT problem

yeharold94@gmail.com — Tue, 02 Jul 2019 19:15:08 GMT

I got 0 hit on this NAT rule

Re: destination NAT problem

Mike.Cifelli — Tue, 02 Jul 2019 19:31:18 GMT

If you are trying to do source only nat it should look something like this:
nat (DMZ,outside) source static <srcIP><mappedIP>
For future troubleshooting I would recommend running a packet-tracer from CLI that may better assist you with troubleshooting your issue.
packet-tracer input DMZ tcp 192.168.27.137 12345 8.8.8.8 80

Re: destination NAT problem

yeharold94@gmail.com — Tue, 02 Jul 2019 19:51:35 GMT

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (TTN-DMZ,outside) source static stoneraft-linux stoneraft-out
Additional Information:
Static translate 192.168.27.137/22 to 8.8.8.8/22

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (TTN-DMZ,outside) source static stoneraft-linux stoneraft-out
Additional Information:

Phase: 7      
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: TTN-DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Re: destination NAT problem

Mike.Cifelli — Tue, 02 Jul 2019 23:43:06 GMT

That output looks like your NAT rule worked:
Static translate 192.168.27.137/22 to 8.8.8.8/22

Not sure why you would translate to 8.8.8.8 though. What is the exact goal you are trying to accomplish?
#sh xlate -->shows NAT translations
#sh nat -->shows NAT counters

Re: destination NAT problem

yeharold94@gmail.com — Wed, 03 Jul 2019 14:03:00 GMT

8.8.8.8 is an example, just in case, I don't want to send my public IP to everywhere.

ASA# sh xlate local 192.168.27.137
1104 in use, 5491 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.27.137 to outside:8.8.8.8
    flags sT idle 0:02:25 timeout 0:00:00
	

ASA# sh nat 192.168.27.137  detail 
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static stoneraft-linux stoneraft-out  
    translate_hits = 284, untranslate_hits = 5
    Source - Origin: 192.168.27.137/32, Translated: 8.8.8.8/32
	
ASA# sh nat 192.168.27.137  translated 8.8.8.8
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static stoneraft-linux stoneraft-out  
    translate_hits = 284, untranslate_hits = 5

Re: destination NAT problem

Mike.Cifelli — Wed, 03 Jul 2019 14:59:10 GMT

Cool so you are working now! Enjoy!

Re: destination NAT problem

yeharold94@gmail.com — Thu, 04 Jul 2019 00:04:50 GMT

still not works, same issue. do you have any idea?