Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
5
Helpful
1
Replies

ASA PBR and static NAT

Jacob Zartmann
Level 1
Level 1

‎10-05-2016 01:01 AM - edited ‎03-12-2019 01:21 AM

Hi,

I'm trying to find out how to use PBR in conjunction with static NAT. I'm able to make it work with Dynamic PAT, but not static NAT...

Trouble

6 Oct 05 2016 08:47:42 110003 195.41.2.20 80 2.2.2.2 28641 Routing failed to locate next hop for TCP from new-dmz:195.41.2.20/80 to outside:2.2.2.2/28641

Configuration

!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.2
vlan 2
nameif outside
security-level 0
ip address 195.41.2.4 255.255.255.0
!
interface GigabitEthernet0/0.10
vlan 10
nameif dmz
security-level 50
ip address 100.100.10.2 255.255.255.0
policy-route route-map dmz-pbr
!
interface GigabitEthernet0/0.20
vlan 20
nameif new-dmz
security-level 50
ip address 100.100.20.2 255.255.255.0
policy-route route-map new-dmz-pbr
!
same-security-traffic permit inter-interface
!
object network dmz
subnet 172.16.25.0 255.255.255.0
!
object network new-dmz
subnet 172.24.0.0 255.255.255.0
!
object network 172.16.25.1
host 172.16.25.1
!
object network 195.41.2.10
host 195.41.2.10
!
object network 172.24.0.1
host 172.24.0.1
!
object network 195.41.2.20
host 195.41.2.20
!
object-group network rfc1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
!
access-list dmz-pbr extended deny ip object dmz object-group rfc1918
access-list dmz-pbr extended permit ip object dmz any
!
access-list new-dmz-pbr extended deny ip object new-dmz object-group rfc1918
access-list new-dmz-pbr extended permit ip object new-dmz any
!
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object 172.16.25.1 eq www
access-list outside_access_in extended permit tcp any object 172.24.0.1 eq www
!
access-group outside_access_in in interface outside
!
object network dmz
nat (dmz,outside) dynamic interface
object network new-dmz
nat (new-dmz,outside) dynamic interface
object network 172.16.25.1
nat (dmz,outside) static 195.41.2.10
object network 172.24.0.1
nat (new-dmz,outside) static 195.41.2.20
access-group outside_access_in in interface outside
!
route-map dmz-pbr permit 10
match ip address dmz-pbr
set ip next-hop 195.41.2.1
!
route-map new-dmz-pbr permit 10
match ip address new-dmz-pbr
set ip next-hop 195.41.2.1
!
route dmz 172.16.25.0 255.255.255.0 100.100.10.1 1
route new-dmz 172.24.0.0 255.255.255.0 100.100.20.1 1
!

Verification

R1#telnet 172.16.25.1 80 /vrf new-dmz /source-interface lo20
Trying 172.16.25.1, 80 ... Open

R1#ping vrf dmz 2.2.2.2 source lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.25.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/9 ms
R1#

R1#ping vrf new-dmz 2.2.2.2 source lo20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.24.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
R1#

asa-pbr-test# packet-tracer input outside tcp 2.2.2.2 1234 195.41.2.20 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.24.0.1
nat (new-dmz,outside) static 195.41.2.20
Additional Information:
NAT divert to egress interface new-dmz
Untranslate 195.41.2.20/80 to 172.24.0.1/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object 172.24.0.1 eq www
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 172.24.0.1
nat (new-dmz,outside) static 195.41.2.20
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 122, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: new-dmz
output-status: up
output-line-status: up
Action: allow

asa-pbr-test#

Any suggestions are greatly appreciated. I actually need this on a production network.

Thanks.

Regards,

/JZ

Labels:
0 Helpful
1 Reply 1

Jacob Zartmann
Level 1
Level 1

‎10-05-2016 02:12 AM

Hi,

OK. I believe I found a solution. Not a nice one i my opinion.

Create a default route with a higher metric (AD for R&S people like me). This will actually be used even though not installed in the routing table. 

I've also seen this "feature" with AnyConnect where you tie a group to a certain interface and create a default route out that interface with a higher metric (AD!).

So the solution was:

route outside 0.0.0.0 0.0.0.0 195.41.2.1 2

Thanks,

/JZ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card