Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
1
Replies

Cisco Firewall 5512 NAT cause IP randomly mapping to the host

wenkaishun
Level 1
Level 1

‎12-29-2022 10:28 PM

I have an ASA 5512 firewall that has configured with 2 public IP addresses.
I use static nat to explosive https service and use PAT to allow my DMZ web server to access the Internet. The CLI are shown below:

PAT:
object network pat-pub-ip
host 49.xx.xx.2

object network my_dmz_web
nat (inside,outside) dynamic pat-pub-ip interface


static NAT:
object network nat-pub-range
range 49.xx.xx.0 49.xx.xx.1

object network web-https
host 10.128.10.10
nat (inside,outside) static nat-pub-range service tcp https https

ACL:
access-list 101 extended permit icmp any any
access-list 101 extended permit ip any any
access-group 101 in interface inside

I still have other hosts like: 10.128.10.20, 10.128.10.30, 10.128.10.40 .

The weird thing is when I use public IP e.g. 49.xx.xx.0 and 49.xx.xx.1, they can directly access the hosts 10.128.10.20 and 10.128.10.30 accordingly, but there is no any NAT except what I listed above.

for example:
ssh 49.xx.xx.0, this is directly connect to the the 10.128.10.20, just like ssh 10.128.10.20.


I've tried reset ASA and reconfig again, same result, is anyone has been face the same situation before? thanks

Labels:
0 Helpful
1 Reply 1

srigovi2
Cisco Employee
Cisco Employee

‎02-20-2023 11:44 PM - edited ‎02-28-2023 10:40 PM

Hi,

As per the scenario you have configured PAT for outbound traffic and you have configured static NAT for inbound traffic to the DMZ web server.

In static NAT you observed incorrect mapping. So can you please provide the output of the below command?

Packet tracer— It shows which NAT rules a packet is hitting by trying any source IP.

show nat detail—This command displays the current NAT translations on the firewall, including the source and destination IP addresses and ports, as well as the NAT rules that are being used.

show xlate/show xlate details - It displays information about the translation, interface information, the IP address, and the type of translation.

show conn | i 49.xx.xx.0/49.xx.xx.1—This lets you see active connections including to and from the box traffic

show nat policy: This command displays the NAT policies that are currently configured on the firewall, including both static and dynamic NAT rules.

Thanks,
G.Srinivasan

0 Helpful
Customers Also Viewed These Support Documents