Cannot Get Static NAT Working

iglablues · ‎06-24-2015

I'm prepping to put a 5545-X in to replace a 5505. The 5505 was running pre-8.3, and our new one is running 9.1. I have been trying to do the most basic thing I thought possible (statically NAT'ing an internal server) and have had zero success. Can someone take a look at my config and offer up some opinions on what I'm doing wrong? I've tried via CLI and ASDM and gotten nowhere fast. I have set up a test subnet and server that I've been trying to work with since I don't want to effect current production traffic. The internal server IP is 172.16.10.5, and the public IP I will use here is 2.3.4.5.

I created a bunch of objects to use in the configs. Here are the relevant ones to my testing:

object network vpn_clients
 range 172.16.10.10 172.16.10.255
object service http
 service tcp destination eq www 
object network public-test-ip
 host 2.3.4.5
object network test
 subnet 172.16.10.0 255.255.255.0
object network test-server
 host 172.16.10.5
 description test for outside access

I created the post-8.2 equivalent of nonat for vpn clients going to an object-group I called internal_subnet, which is made up of all the internal subnets including the test network.


nat (inside,outside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup
nat (outside,inside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup
!

Dynamic PAT for internal users to access the internet via the outside interface's IP, and a static NAT for the test web server


object network cage1
 nat (inside,outside) dynamic interface
object network cage2
 nat (inside,outside) dynamic interface
object network test
 nat (test,outside) dynamic interface
object network test-server
 nat (test,outside) static public-test-ip

I cannot access the web server from outside. I ran packet-tracer:

packet-tracer input outside tcp 216.58.219.228 http 2.3.4.5 http detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network test-server
 nat (test,outside) static public-test-ip
Additional Information:
NAT divert to egress interface test
Untranslate 2.3.4.5/80 to 172.16.10.5/80


Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object test-server eq www 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffed04e1fc0, priority=13, domain=permit, deny=false
hits=31, user_data=0x7ffec763a680, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=172.16.10.5, mask=255.255.255.255, port=80, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffece8da2b0, priority=0, domain=nat-per-session, deny=false
hits=353197, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecf682e80, priority=0, domain=inspect-ip-options, deny=true
hits=304458, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any


Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecffd6450, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=100011, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any


Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network test-server
 nat (test,outside) static public-test-ip
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7ffecf755ba0, priority=6, domain=nat-reverse, deny=false
hits=32, user_data=0x7ffed01db480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=172.16.10.5, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=test


Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffece8da2b0, priority=0, domain=nat-per-session, deny=false
hits=353199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any


Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffed03854d0, priority=0, domain=inspect-ip-options, deny=true
hits=2495, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=test, output_ifc=any


Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 153896, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat  

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat


Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: test
output-status: up
output-line-status: up
Action: allow

To me that looks like I should be able to hit my web server. I did a reverse trace from the local address of 172.16.10.5 to a public IP (I used one of Google's) and verified that traffic out should work as well from this host. I don't see what I'm missing. I'd appreciate your input.

Thank you.

iglablues · ‎06-24-2015

I'm pasting my entire config in case the snippets above aren't enough info/are too disjointed.

ASA Version 9.2(2)4 
!
hostname internap-5545
domain-name company.com
enable password ******* encrypted
passwd ******* encrypted
names
ip local pool Remote_Users 172.16.10.10-172.16.10.254 mask 255.255.255.0
!
iinterface GigabitEthernet0/4
 nameif test
 security-level 100
 ip address 172.16.10.1 255.255.255.0 
!

interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 172.16.2.2 255.255.255.0 
!
interface Redundant1
 member-interface GigabitEthernet0/0
 member-interface GigabitEthernet0/2
 nameif outside
 security-level 0
 ip address 2.3.4.4 255.255.255.192 
!
interface Redundant2

member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/3
 shutdown
 nameif inside
 security-level 100
 ip address 10.50.10.2 255.255.0.0 
!

dns domain-lookup outside
dns domain-lookup test
dns server-group DefaultDNS
 name-server 10.51.20.254
 name-server 192.168.1.18
 domain-name company.com
same-security-traffic permit intra-interface
object network staging-server
 host 10.50.151.24
object network netboot
 host 10.50.159.10
object network office
 subnet 192.168.1.0 255.255.255.0
object network cage1
 subnet 10.50.0.0 255.255.0.0
object network cage2
 subnet 10.51.0.0 255.255.0.0
object network ipmi-1
 subnet 172.16.1.0 255.255.255.0
object network ipmi-2
 subnet 172.16.2.0 255.255.255.0
object network vpn_clients
 range 172.16.10.10 172.16.10.255
object service http
 service tcp destination eq www 
object network public-test-ip
 host 2.3.4.5
object network test
 subnet 172.16.10.0 255.255.255.0
object network test-server
 host 172.16.10.5
 description test for outside access
object-group network internal_subnet
 network-object object office
 network-object object cage1
 network-object object ipmi-1
 network-object object ipmi-2
 network-object object test
network-object object cage2
access-list l2l-crypt extended permit ip object-group internal_subnet object office
access-list outside_access_in extended permit tcp any object test-server eq www 
access-list split_tunnel standard permit 10.50.0.0 255.255.0.0 
access-list split_tunnel standard permit 10.51.0.0 255.255.0.0 
access-list split_tunnel standard permit 172.16.1.0 255.255.255.0 
access-list split_tunnel standard permit 172.16.2.0 255.255.255.0 
access-list split_tunnel standard permit 192.168.0.0 255.255.0.0 
access-list split_tunnel standard permit 172.16.10.0 255.255.255.

nat (inside,outside) source static internal_subnet internal_subnet destination static office office no-proxy-arp route-lookup
nat (inside,outside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup
nat (outside,inside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup
!
object network cage1
 nat (inside,outside) dynamic interface
object network cage2
 nat (inside,outside) dynamic interface
object network test
 nat (test,outside) dynamic interface
object network test-server
 nat (test,outside) static public-test-ip
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.3.4.12 1
route test 10.51.0.0 255.255.0.0 172.16.10.2 1
route management 172.16.1.0 255.255.255.0 172.16.2.1 1

jj27 · ‎06-25-2015

Everything looks OK at first glance. Are you sure that there is no firewall setup on your test server that would be blocking inbound port 80?