Hi,

crawley2017 · ‎07-06-2017

Nat Rule not working | Firewalling | Cisco Support Community

Hi,

I am newbie and learning to manage the ASA 5505.

I have got a site where we have one broadband with one Static IP.

I wanted to configure to monitor CCTV but it doesnt seem to work.

I have used Packet tracer and I get the error on access list Config Implicit Rule.

Can please someone direct me where I am going wrong here?

object network CAMERA
nat (any,outside) dynamic interface

access-list acl-outside extended permit tcp any object CAMERA eq 8000

Thanks,

siren eam · ‎07-06-2017

Hi,

Please check this link if it can help:

http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html

crawley2017 · ‎07-07-2017

Hi Siren,

I followed Dan's example and created

object network Camera
Host 10.10.10.1
nat (inside, outside) static interface service tcp 8000 8000
access-list Camera-monitor extended permit tcp any host 10.10.10.1 eq 8000
access-group Camera-monitor in interface outside

It failed when I used Packet Tracer

Aditya Ganjoo · ‎07-10-2017

Hi,

The config looks fine.

Can you try with actual traffic?

Can you post the result from CLI:

packet-tracer input outside tcp 4.2.2.2 8787 <interface outside ip> 8080 det ?

Regards,

Aditya

crawley2017 · ‎07-10-2017

Hey Aditya,

Please see below.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in x.x.x.x 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

the access list is

access-list CCTV extended permit tcp any object CAMERA object-group CAMERA-PORTS

Access-group CCTV in interface outside

Spooster IT Services · ‎07-10-2017

Hi Crawley,

Please add the following NAT rule same as it is and test it.

nat (outside,inside) source static obj_any obj_any destination static interface CAMERA service 8000 8000

Spooster IT Services Team

crawley2017 · ‎07-10-2017

still the same.

crawley2017 · ‎07-11-2017

Let me explain my setup. I have got two asa and the old asa 1 is working ok and I have got static IP addresses for each service. I have added a second switch and ASA2 for resiliency. All the internal traffic goes to ASA1 and NAT is fine as the switch the gateway for all VLAN and forward the external traffic to ASA1.

I presented another switch and ASA2 and wanted to use similar rules as ASA1 but somehow it is not working. Nat works fine when I use it for same subnet but it doesnt when I use different VLAN for CCTV etc. The CCTV is using VLAN 20 and I can ping VLAN 200 from ASA2.

I have attached a pic to understand if it helps.

Spooster IT Services · ‎07-11-2017

Hi crawley2017,

Can you answer the following

Que 1) What are subnets you are using for CCTV (both old and new subnet)?

Que 2) What are the Camera IP (both old and new) ?

Spooster IT Services Team

crawley2017 · ‎07-11-2017

I have not changed the CCTV subnet. The old and new are on VLAN200. I have not changed any IP Address.

There is a route for Vlan 200 on ASA2.

Spooster IT Services · ‎07-11-2017

Hi crawley2017,

I suspect there is something wrong configured or missed.

Ques1 ) Is everything working for ASA1?

Ques 2) What are the interface nameif's on both ASA's?

Can you attached the running config of both ASA's? (Remember to remove sensitive information)

Spooster IT Services Team

crawley2017 · ‎07-13-2017

I think it is more of a routing issue here but trying to understand where I need to start as One is working but the second one isn't. The VLANs are same and nameif interfaces are same as well. Both ASAs are on the same subnet.

I just tested a NAT on the same subnet and it worked. So I am sure it maybe something to do with the routing or I am wrong :).

One more thing I noticed in ASDM I could see the Hits going up.

I checked the logs and found something SYNTIMEOUT.

Teardown TCP connection 29234 for outside:8.8.8.8/80 to inside:192.168.20.50/8000 duration 0:00:30 bytes 0 SYN Timeout.

crawley2017 · ‎07-13-2017

is it something to do with same subnet. as CCTV is on another subnet.

When I use sh arp command I do not see CCTV subnet and my layer 3 switch does the routing for Vlans.

Spooster IT Services · ‎07-06-2017

Hi crawley2017,

Try the following configuration and test.

object-group network ANY
network-object 0.0.0.0 0.0.0.0

object service 8000
service tcp destination eq 8000

nat (outside,any) source static ANY ANY destination static interface CAMERA service 8000 8000

Spooster IT Services Team

crawley2017 · ‎07-10-2017

Hi,

I followed your example

object-group network ANY
network-object 0.0.0.0 0.0.0.0 ( I used camera ip address)

object service 8000
service tcp destination eq 8000

nat (outside,any) source static ANY ANY destination static interface CAMERA service 8000 8000

I could not make it work.