Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
625
Views
5
Helpful
1
Replies

ASA NAT Strange ISSUE

communication.boy
Level 1
Level 1

‎05-25-2012 09:02 AM - edited ‎03-11-2019 04:11 PM

I have configured 2 ISP on ASA 5505 which is using IP SLA to track internet connection . Following is Static NAT configuration

static (inside,outside) tcp ISPA_Second_IP 3389 Jonas 3389 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Third_IP 3389 192.168.10.7 3389 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Third_IP 9983 192.168.10.20 3389 netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP smtp Exchange smtp netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP 3389 Exchange 3389 netmask 255.255.255.255
static (inside,outside) udp ISPA_Second_IP 1434 Jonas 1434 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP ftp Jonas ftp netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 1433 Exchange 1433 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 1434 Exchange 1434 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 50000 192.168.10.200 50000 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 5001 192.168.10.200 5001 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 8192 192.168.10.202 8192 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_First_IP https Exchange https netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 3389 Jonas 3389 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_third_IP 3389 192.168.10.7 3389 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_third_IP 9983 192.168.10.20 3389 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_First_IP smtp Exchange smtp netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_First_IP 3389 Exchange 3389 netmask 255.255.255.255
static (inside,WAN_Failover) udp ISPB_Second_IP 1434 Jonas 1434 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP ftp Jonas ftp netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 1433 Exchange 1433 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 1434 Exchange 1434 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 50000 192.168.10.200 50000 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 5001 192.168.10.200 5001 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 8192 192.168.10.202 8192 netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP www Exchange www netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP https Exchange https netmask 255.255.255.255

I have configured that ISPA first IP to the port 80 of Exchange as you can see but that doesnt seems to work fine , All NAT configs were duplicate which means if Exchange server is PAT to ISP_A at the same time it is for ISP_B , right now I have removed rule for ISP_B exchange just for troubleshooting purpose .

packet-tracer input outside tcp 4.2.2.2 80 ISPA_First_IP 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp ISPA_First_IP www Exchange www netmask 255.255.255.255
  match tcp inside host Exchange eq 80 outside any
    static translation to ISPA_First_IP/80
    translate_hits = 0, untranslate_hits = 5
Additional Information:
NAT divert to egress interface inside
Untranslate ISPA_First_IP/80 to Exchange/80 using netmask 255.255.255.255
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any host ISPA_First_IP eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp ISPA_First_IP www Exchange www netmask 255.255.255.255
  match tcp inside host Exchange eq 80 outside any
    static translation to ISPA_First_IP/80
    translate_hits = 0, untranslate_hits = 5
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp ISPA_First_IP smtp Exchange smtp netmask 255.255.255.255
  match tcp inside host Exchange eq 25 outside any
    static translation to ISPA_First_IP/25
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8137, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

I cant access that server from outside but as you can see in packet tracer command in Phase 7 it shows port 80 but in phase 8 it shows SMTP which is quite strange .

Is that a hardware issue ?

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎05-25-2012 12:55 PM

Take captures on the ingress and egress interfaces, it would tell you which side is not responding.

https://supportforums.cisco.com/docs/DOC-17814

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card