cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


233
Views
0
Helpful
4
Replies
Beginner

ASA NAT issue

Hi all

I have a problem with NAT on ASA. I am trying to translate the destination IP based on source range and source port.

I am getting a log below.

Failed to locate egress interface for TCP from OAM_MDS_EXT:169.254.0.1/52464 to 8.2.3.1/161 .

Range 8.2.3.0/28 is not allocated on any interface. I just configured null route and redistributed in the OSPF.

Please have a look at the attached visio.

My config

 

nat (EXT,INT) source dynamic MGMT_169.254.0.0_18 NET_80.223.123.161 destination static NET_80.223.123.161 SERVER1 service SSH SSH


object network MGMT_169.254.0.0_18
range 169.254.0.1 169.254.64.254
!
object network NET_80.223.123.161
host 80.223.123.161
!
object service SSH
service tcp destination eq ssh
!
object network SERVER1
host 10.10.0.1

 

Any advise?

Everyone's tags (4)
4 REPLIES 4

Re: ASA NAT issue

Hey Vl@d@Ni,

happy to help you out if I can. I’m not sure why you’re getting that exact error message (but can only see part of your config), as a Null0 route shouldn’t have anything to do with your NATing. I can tell you by looking at your config that you haven’t established any NAT objects for your local subnet on the ingress side of the ASA, and that’s definitely going to cause problems with translation. Try the following:

 

1) Create a dynamic nat pool for your range of addresses (you have done this successfully):

(Config)# Object network MGMT_169.254.0.0_18

(config-network-object)# range 169.254.0.1 169.254.64.254

 

2) create a network object for your INGRESS network (this is missing)

(Config)# object network SNMP_INGRESS

(config-network-object)# Subnet 172.16.0.0 255.255.255.252

 

3) enable dynamic NAT for your management range on the Ingress network under the same network object

(config-network-object)# NAT (INT,EXT) dynamic MGMT_169.254.0.0_18

 

4) create a network object for your where web server 

(Config)# object network SERVER1

host 10.10.0.1

 

5) (finally) configure NAT for the static web server:

(config-network-object)#NAT (EXT,INT) static 10.10.0.1

 

let me know if that helps!

please don’t forget to rate!

-Zac

Beginner

Re: ASA NAT issue

Hi Zac,

thank you for your reply. Maybe I didnt explain my end goal correctly. R1 on the left is using SNMP server 10.10.0.1 on the right. SNMP srv is not presented with the real IP to R1 so R1 uses 8.2.3.1. 

In order to make this work I am trying to translate destination ip 8.2.3.1 to 10.10.0.1 and keep original service in this case SNMP.

I am using range 8.2.3.0/27 on the firewall which is not configured on any interface. 

 

Does it have sense now?

Re: ASA NAT issue

I hate to say it Vl@d@Ni but I’m actually a little more confused than when we started. I lose you around “SNMP dev is not presented with the real up to R1.”

 

where exactly is your NAT translation failing? Are you saying that the SNMP server (on the right) is receiving the SNMP requests but translation is failing on the way back? Do you know why addresses are translating to a Null interface? Is this by design? Can you post more of your config including all your NAT rules?

Highlighted
Beginner

Re: ASA NAT issue

As per my understanding. You want to achieve R1 from source (169.254.0.1) trying to send SNMP data (UDP Port 161 & 162) to 8.2.3.1 that should land on SERVER (10.10.0.1)

If i am correct. This is what it should look like according to your diagram and my understanding.

!
interface GigabitEthernet0/0
nameif INT
security-level 100
ip address 172.16.0.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif EXT
security-level 0
ip address 172.17.0.1 255.255.255.252
!
route EXT 10.10.0.0 255.255.0.0 172.17.0.2
route INT 169.254.0.1 255.255.255.255 172.16.0.2 
!
object network OBJ-169
host 169.254.0.1
object network OBJ-10
host 10.10.0.1
object network OBJ-8
host 8.2.3.1
!
object service SNMP
service udp destination eq 161 
object service SNMPTRAP
service udp destination eq 162
!
nat (IN,OUT) source static OBJ-169 OBJ-169 destination static OBJ-8 OBJ-10 service SNMP SNMP
nat (IN,OUT) source static OBJ-169 OBJ-169 destination static OBJ-8 OBJ-10 service SNMPTRAP SNMPTRAP
!


The static route here are just to make sense. You can have routes from OSPF or any other Dynamic Routing protocol.

 

The other requirements are. R1 should be sending SNMP from source IP 169.254.0.1 as you mentioned in your topology diagram. If there is any change you should change it accordingly.


The R1 should send any traffic destined to 8.2.3.1 to ASA (via Static or Dynamic Route) and R2 Should send any traffic destined to 169.254.0.1 to ASA (via Static or Dynamic Route)


If you still have problem. Please provide.

Show run interface EXT
Show run interface INT
Show route
Show nat detail
Show run object

 

HTH