Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
2
Replies

Nat Issue??

Steven Williams
Level 4
Level 4

‎12-21-2017 05:46 AM - edited ‎02-21-2020 07:00 AM

IN-ASA5510-01-03001# packet-tracer input DMZ tcp 10.100.22.100 4562 192.168.106.110 443 detail

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab888a18, priority=1, domain=permit, deny=false
hits=2127, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.106.0 255.255.255.0 DMZ

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit tcp any host 192.168.106.110 eq https
access-list DMZ_access_in remark Rules for DMZ Server to access Internal and External resources
access-list DMZ_access_in remark 192.168.106.51 - Test
access-list DMZ_access_in remark 192.168.106.19 - TMG
access-list DMZ_access_in remark 192.168.106.110 - Kemp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb2bb7228, priority=12, domain=permit, deny=false
hits=3, user_data=0xa89d5f40, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.106.110, mask=255.255.255.255, port=443, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab88b690, priority=0, domain=permit-ip-option, deny=true
hits=21390, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae062e08, priority=17, domain=flow-export, deny=false
hits=918, user_data=0xade42538, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip DMZ 10.0.0.0 255.0.0.0 DMZ any
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc03ed0, priority=6, domain=nat-exempt, deny=false
hits=0, user_data=0xabc03e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any OUTSIDE any
no translation group, implicit deny
policy_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab9cbe70, priority=0, domain=host, deny=false
hits=42128, user_data=0xab9cba58, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (DMZ) 1 192.168.106.0 255.255.255.0
nat-control
match ip DMZ 192.168.106.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xabc068a0, priority=1, domain=nat-reverse, deny=false
hits=5, user_data=0xabc06630, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.106.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

IN-ASA5510-01-03001#

 

 

I have a server (192.168.106.110)  in the DMZ marked with security level 50. I am trying to get to it from a host on the 10.100.22.0/24 network which will come in via the inside interface. 

 

I have a NAT for 192.168.106.110 to a public. I can access the public IP from the internal network but cannot access the private IP internal. 

 

Packet tracer shows me the output above, but I dont get where its getting hung up on..

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎12-21-2017 11:00 AM

Hi,

 The message is about reverse path. Looks like the packet in getting in through DMZ interface any leaving through another interface.

 

nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any OUTSIDE any
no translation group, implicit deny
policy_hits = 1

 

Probably this is causing it.

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

0 Helpful

andre.ortega
Spotlight
Spotlight

‎12-21-2017 11:05 AM

In old versions you have to create an exempt nat rule (also called nat 0) to allow communication between interfaces.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card