ASA Twice NAT (port translation) - 8.4 in depth - Cisco Community

3612

Views

0

Helpful

1

Replies

hi all,

I have some issues with Twin PAT on ASA (8.4.2), there is sth I dont udnerstand

FTP server is on the inside and client is in outside.

I did sth like this


object network NATED-11 
 host 20.20.20.11
object network REAL-2
 host 10.200.200.2
object service SRV-FTP
 service tcp destination eq ftp 
nat (outside,inside) source static any any destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP

so teoretically there should be a problem in NAT cause there is a second channel for data etc. BUT according to docs

"For applications that require application inspection for secondary channels (for example, FTP and VoIP),

the ASA automatically translates the secondary ports."

The problem is that it doesn't work at all and got the syslogs

Debug on ASA shows

ASA5510(config)# nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21

nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21

nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21

nat: translation - outside:20.20.20.252/37924 failed - port is not found in xlate(0-0)

nat: rewriting real inside:10.200.200.2/11048, hint 20.20.20.11/0, dest outside:20.20.20.252/0 (rdip 20.20.20.252)

nat: translation - inside:10.200.200.2/40878 failed - port is not found in xlate(21-21)

nat: policy lock 0xae286618, old count is 2

nat: translation - inside:10.200.200.2/11048 to outside:20.20.20.11/28417

flow: requesting real outside:20.20.20.252/0 -> real inside:10.200.200.2/11048

nat: rewriting real inside:10.200.200.2/11048, hint 20.20.20.11/0, dest outside:20.20.20.252/0 (rdip 20.20.20.252)

nat: translation - inside:10.200.200.2/11048 to outside:20.20.20.11/28417

flow: listen real inside:10.200.200.2/11048, mapped outside:20.20.20.11/28417)

flow: hole prot 6/0, 20.20.20.252/0 -> outside:20.20.20.11/28417

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048

nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048

nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: rewriting real outside:20.20.20.252/22139, hint 20.20.20.252/0, dest inside:20.20.20.11/28417 (rdip 10.200.200.2)

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: WARNING - no port in pool -1374108800, prot 6/0, outside:20.20.20.252/22139 to inside:20.20.20.252

nat: no xlate found; ecode -> 5

nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048

nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: rewriting real outside:20.20.20.252/22139, hint 20.20.20.252/0, dest inside:20.20.20.11/28417 (rdip 10.200.200.2)

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: WARNING - no port in pool -1374108800, prot 6/0, outside:20.20.20.252/22139 to inside:20.20.20.252

nat: no xlate found; ecode -> 5

nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: WARNING - no port in pool -1374108800, prot 6/0, outside:20.20.20.252/47689 to inside:20.20.20.252

nat: no xlate found; ecode -> 5

nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside

nat: no xlate found; ecode -> 0

nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside

nat: no xlate found; ecode -> 0

nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside

nat: no xlate found; ecode -> 0

nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)

nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0

nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside

nat: no xlate found; ecode -> 0

To make it work I need to modify the nat rule to sth like this (translate source of client to inside inteface of ASA)


nat (outside,inside) 1 source static any interface destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP

could someone explain why its not working in the first place? I JUST WANT TO KNOW

aaa I forgot to mention that both modes of FTP were tested (passive and active)

regards

1 Reply 1

ok I think I was wrong about the docs because it was regarding static nat and I used Twice

and for STATIC PAT it worked well !!! my mistake

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card