cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
334
Views
0
Helpful
3
Replies

NAT rule not working

Lajja1234
Level 1
Level 1

Hi!

I need one DMZ server to access my inside network, but it does not work. I have made an access rule and the rule is working. Verified with packet tracer, packet tracer drops packet at the NAT step. The strange thing is that the NAT rule doesn't get hit at all.

Is there something wrong with the statement below?

static (inside,DMZ) DMZ-servername DMZ-servername netmask 255.255.255.255

/Lajja1234


3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

As I said in the previous thread on these forums, this is hard to troubleshoot when you dont have anything to work with.

If you dont want to share the configurations at all I would go through all the NAT rules and look for some existing rule that would apply to the traffic between DMZ and inside.

It seemed to me that there is some conflicting NAT rule. But cant say for sure what the specific reason is as you dont share the "packet-tracer" output or the NAT configurations

- Jouni

Hi!

I would prefer not to share the configuration. I can share only the NAT rules, but its a big net with many NAT rules. I do not only have one DMZ, i have several. The NAT config is attached below (I have edited names and numbers). 

I have removed the sensitive stuff of the packet tracer.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.100.0      255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_access_in in interface DMZ

access-list DMZ_access_in extended permit tcp host DMZ-server host Inside-server object-group Licensegroup

object-group service Licensegroup tcp

port-object eq 5511

port-object eq 5588

port-object eq 5555

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (DMZ,inside) DMZ-server DMZ-server netmask 255.255.255.255

  match ip DMZ host DMZ-server inside any

    static translation to DMZ-server

    translate_hits = 508, untranslate_hits = 4516

Additional Information:

Static translate DMZ-server/0 to DMZ-server/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,External_wan) DMZ-server DMZ-server netmask 255.255.255.255

  match ip DMZ host DMZ-server External_wan any

    static translation to DMZ-server

    translate_hits = 66, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 10.1.0.0 255.255.0.0

  match ip inside 10.1.0.0 255.255.0.0 DMZ any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 202562, untranslate_hits = 0

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

/Lajja1234

Hello,

Seems like you have asymmetric NAT, the destination is self translated from DMZ to inside, and the packet is hitting the "nat (inside) 1 10.1.0.0 255.255.0.0" command.

you can fix this with NAT 0.

Example:

access-list nat0 permit ip inside_network host DMZ_Server

nat (inside) 0 access-list nat0

So the ASA wont try to nat the source IP for the reply of the connection.

Regards,

Felipe.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: