01-22-2013 10:33 AM - last edited on 03-25-2019 05:49 PM by ciscomoderator
Hi!
I need one DMZ server to access my inside network, but it does not work. I have made an access rule and the rule is working. Verified with packet tracer, packet tracer drops packet at the NAT step. The strange thing is that the NAT rule doesn't get hit at all.
Is there something wrong with the statement below?
static (inside,DMZ) DMZ-servername DMZ-servername netmask 255.255.255.255
/Lajja1234
01-22-2013 10:38 AM
Hi,
As I said in the previous thread on these forums, this is hard to troubleshoot when you dont have anything to work with.
If you dont want to share the configurations at all I would go through all the NAT rules and look for some existing rule that would apply to the traffic between DMZ and inside.
It seemed to me that there is some conflicting NAT rule. But cant say for sure what the specific reason is as you dont share the "packet-tracer" output or the NAT configurations
- Jouni
01-22-2013 11:04 AM
Hi!
I would prefer not to share the configuration. I can share only the NAT rules, but its a big net with many NAT rules. I do not only have one DMZ, i have several. The NAT config is attached below (I have edited names and numbers).
I have removed the sensitive stuff of the packet tracer.
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.100.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit tcp host DMZ-server host Inside-server object-group Licensegroup
object-group service Licensegroup tcp
port-object eq 5511
port-object eq 5588
port-object eq 5555
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (DMZ,inside) DMZ-server DMZ-server netmask 255.255.255.255
match ip DMZ host DMZ-server inside any
static translation to DMZ-server
translate_hits = 508, untranslate_hits = 4516
Additional Information:
Static translate DMZ-server/0 to DMZ-server/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,External_wan) DMZ-server DMZ-server netmask 255.255.255.255
match ip DMZ host DMZ-server External_wan any
static translation to DMZ-server
translate_hits = 66, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 10.1.0.0 255.255.0.0
match ip inside 10.1.0.0 255.255.0.0 DMZ any
dynamic translation to pool 1 (No matching global)
translate_hits = 202562, untranslate_hits = 0
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
/Lajja1234
01-22-2013 05:13 PM
Hello,
Seems like you have asymmetric NAT, the destination is self translated from DMZ to inside, and the packet is hitting the "nat (inside) 1 10.1.0.0 255.255.0.0" command.
you can fix this with NAT 0.
Example:
access-list nat0 permit ip inside_network host DMZ_Server
nat (inside) 0 access-list nat0
So the ASA wont try to nat the source IP for the reply of the connection.
Regards,
Felipe.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: