topic Re: Static NAT doesn't seems work in Network Security

Static NAT doesn't seems work

chunsingkerk — Mon, 11 Mar 2019 11:28:15 GMT

Hi,

I'm trying to create a static NAT for an outside server to access an inside server

static (inside,outside) a.b.c.d 1.2.3.4 netmask 255.255.255.255

Xlate table shows that static NAT took place

Packet capture shows the destination IP address becomes 0.0.0.0, which really puzzles me.

Is someone able to shed some light on this?

Thanks

/chunsing

-----------------------------

ASA# sh cap ACS trace

42 packets captured

1: 10:58:57.102732 <IP_Addr_of_ext_svr>.2406 > a.b.c.d.1645: udp 54

<...truncated ...>

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_in in interface outside

access-list outside_in extended permit ip object-group EJPROXY_SVRS host a.b.c.d

object-group network EJPROXY_SVRS

network-object host <IP_Addr_of_ext_svr>

Additional Information:

Forward Flow based lookup yields rule:

in id=0x4666550, priority=12, domain=permit, deny=false

hits=7, user_data=0x45a8278, cs_id=0x0, flags=0x0, protocol=0

src ip=<IP_Addr_of_ext_svr>, mask=255.255.255.255, port=0

dst ip=a.b.c.d, mask=255.255.255.255, port=0

<...truncated ...>

Phase: 5

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3e43060, priority=12, domain=capture, deny=false

hits=1, user_data=0x4596d30, cs_id=0x461cf98, reverse, flags=0x0, protocol=0

src ip=<IP_Addr_of_ext_svr>, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0 *****dst IP becomes 0.0.0.0******

-----------------------------

Re: Static NAT doesn't seems work

JORGE RODRIGUEZ — Mon, 22 Oct 2007 15:17:39 GMT

Hi Chun, few questions for you.

1- Do you have any other static working or is it only this static that does not work?

2- make sure inside host does not have firewall turned on.

3- make sure hosts is listening to ports you have indicated in your access-list for this static nat translation.

could you post the output of the follwing:

If running code 6.x

"show sysopt "

if running 7.x,8.x

"show running-config sysopt "

Re: Static NAT doesn't seems work

chunsingkerk — Wed, 24 Oct 2007 01:57:29 GMT

Hi Jorgemcse,

Thanks for your reply.

1) This is the only static that isn't work.

2 & 3) The inside host doesn't have firewall and is able to response to requests from another internal hosts.

ICES-ASA# show running-config sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

ICES-ASA#

Re: Static NAT doesn't seems work

JORGE RODRIGUEZ — Wed, 24 Oct 2007 04:03:30 GMT

I suspected something else with sysopt output,are you allowing TCP ports or IP services ? I think the problem could be in your acl allowing IP instead of TCP services .

e.g. I lab this out with defining an outside group called vendor_group and their forein Ip address, then defined TCP service group called TES_Group allowing domain, ftp , rdp TCP services to access inside host a.b.c.d the acl should be:

access-list outside__in extended permit tcp object-group OUtside_Vendor host a.b.c.d object-group TEST_GROUP

access-group outside_in in interface outside

or somewhere along these lines, define the ouside hosts in your network object group as well as define the TCP services object group to be allowed.

Re: Static NAT doesn't seems work

chunsingkerk — Wed, 24 Oct 2007 04:51:04 GMT

Hi, have checked my acl and is same as your suggestion

--------------

access-list outside_in extended permit udp object-group EJPROXY_SVRS host a.b.c.d eq radius

object-group network EJPROXY_SVRS

network-object host

---------------

Doing a "show access-list outside_in" indicates that acl is matched.

I've done a permit any-any but still can't work.

Re: Static NAT doesn't seems work

JORGE RODRIGUEZ — Wed, 24 Oct 2007 05:09:24 GMT

how is the static nat translation does it have a unique public IP for the inside host?

for sake of testing create tcp rdp acl and test from outside doing "telnet PublicIP 3389" to see if you can reach it.

Re: Static NAT doesn't seems work

JORGE RODRIGUEZ — Wed, 24 Oct 2007 05:30:12 GMT

your acl is still udps instead of tcp, it is on what the the server is listening , if you do on the server netstat you will note TCP listening ports not udp and that could be reason you're not hiting it.

Re: Static NAT doesn't seems work

chunsingkerk — Wed, 24 Oct 2007 12:50:07 GMT

Hi Jorgemcse,

Thanks for your assistance, the server is listening for radius on 1645/udp rather that tcp. As suggested I've verified using netstat.

In fact, I've done a permit ip any-any which should include all udp and tcp packets, but server is not receiving the packets.

There is a unique public NAT for the internal server as well. I believe the flow breaks after the translation (outside to inside) where destination IP address becomes 0.0.0.0 hence packet goes back out the outside interface (default route is to outside interface)

thanks