cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3950
Views
25
Helpful
12
Replies

Problem with NAT ASA 9.0(2)

josedelpino
Level 1
Level 1

Hello

Basically after upgrade from ASA 8.4 to 9.0 (2) I have problems when certain types of NAT.

Example:

ASA 8.4:

     nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http

In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http while other ports can be accessed using the original IP (10.252.253.123).

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ASA 9.0:

     nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http

In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http but unlike before now I can not access to the original IP (10.252.253.123) using another port or ping from host 192.168.3.2.

Any ideas on how I can fix this will be appreciated.

Sorry for my English is not my native language.

12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jose,

the nat commands you type there are not valid, incorrect syntax, can you try it one more time,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcambron
Level 3
Level 3

Hello Jose,

Your NAT should be something like:

nat (LAN,outside) source static 192.168.3.2 192.168.3.104 destination static any any service http http

So 192.168.3.2 is NATed to 192.168.3.104 when destination port is 80

You can use the packet tracer command to see which NAT rule you are hitting:

packet in incoming_interface tcp source_ip 1025 destination_IP 80

You need to check on your configuration the NAT rules you have since the ones you posted are not correct.

Then explain what is exactly the problem.

Regards,

Felipe.

josedelpino
Level 1
Level 1

Thank very much to both

The command was wrong because the translator that i used change the syntax and I did not realize.

The correct command is:

nat (LAN,outside) 85 source static 10.252.253.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

The nat itself works well, host1 uses the mapped ip (192.168.3.104) to access to the port 80 without any problem but after setting this nat host1 cannot access to the original server ip address using any other port or ping.

host1 ip address=                     192.168.3.2

Original server ip address =     10.252.253.28

Nated server ip address =        192.168.3.104

Hello Jose Alan,

let's see that

can you paste:

packet-tracer input LAN tcp 10.252.253.28 1025 192.168.3.2 80

That is what you are looking for

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

Thanks for your time

Here is:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.3.0     255.255.255.0   outside

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host


Apparently drop the package due to lack of routes but the destination network is directly connected.

If I delete the nat this is the output:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.3.0     255.255.255.0   outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group LAN_access_in in interface LAN

access-list LAN_access_in extended permit ip object-group NET-ADM any4

access-list LAN_access_in remark XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

object-group network NET-ADM

description: xxxxxxxxxxxxxxxxxxxxxx

network-object host 10.252.253.28

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,outside) source static any any unidirectional

Additional Information:

Static translate 10.252.253.28/1025 to 10.252.253.28/1025

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,outside) source static any any unidirectional

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 808, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Hello Jose,

good post interesting results,

can you share the entire asa configuration with the NAT with a show route as well>

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

In a test environment I upgrade from version 9.0 (2) to 9.1(1)4 and also remove all settings from the configuration leaving just the enough to test the NAT but the behavior is the same.

This is the complete actual configuration:

ASA Version 9.1(1)4

!

hostname ASATEST

enable password xxxxxxxxxxx encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd xxxxxxxxxxxx encrypted

names

!

interface GigabitEthernet0/0

nameif LAN

security-level 0

ip address 10.252.254.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 192.168.3.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa911-4-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

object network 10.252.254.28

host 10.252.254.28

object network 192.168.3.104

host 192.168.3.104

object network 192.168.3.2

host 192.168.3.2

object service ftp

service tcp source eq ftp

access-list ANY extended permit ip any4 any4

pager lines 24

logging enable

logging asdm informational

mtu LAN 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

access-group ANY in interface LAN

access-group ANY in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.3.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.252.254.28 255.255.255.255 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 10.252.254.28 255.255.255.255 LAN

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username jdelpino password xxxxxxx encrypted privilege 15

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0e5d8be6f25f180223f5c1beee7fc0c6

: end

Thanks again for the help

Hello Jose,

Hey man my pleasure to help.

I need the following info:

1) I do not see the object-service http on the configuration, why is that? May I have it?

2) All your traffic is being routed to that same device 3.2? is that expected?

route outside 0.0.0.0 0.0.0.0 192.168.3.2 1

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

1) Sorry for this, I must have accidentally deleted when paste the config

object service http

service tcp source eq http

2)

In my test environment I have a router connected to the outside interface of the ASA and sometimes I create loobacks interfaces on the router to simulate external networks for this reason the default route but in this case it is not necessary so I can remove it without any problem.

Server-------------------------------ASA-----------------------------Router

10.252.253.28           253.1        3.1                     192.168.3.2

Hello Jose,

First error:

The object service HTTP should be destination not source

change that,

clear the xlate table and perform the packet tracer again, post the results

Remember to rate all of the helpful posts, as important as a thanks man

regards



Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

I  think I do not expressed myself correctly because of my poor english and the problem was not understood.

Basically what I need is that if a user wants to access to the server A web page (tcp/80) has to make the request to the nated server ip address (192.168.3.104) but if the same user wants to access to any other service of the server A for example remote desktop (tcp/3389), ssh (tcp/22), ping, etc has to make the request to the original server ip address 10.252.253.28.

User ip address = 192.168.3.2

Nated server ip address = 192.168.3.104

Original server ip address = 10.252.253.28

In ASA 8.4 this works well:

nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

By doing this the user accessed the website making the request to the nated ip address 192.168.3.104 and for any other service make the request to the original server ip address 10.252.253.28 but in ASA 9.1(1)4 once I configure the nat any communication between the user and the server original ip address 10.252.253.28 is cut.

Please let me know if I am not clear with my explanation of the problem.

Hello Jose,

Yeah, I think I got it know but if that is the casea you do not need to use any destination keyword

no nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

nat (LAN,outside) source static 10.252.254.28 192.168.3.104  service http http

Then do the following and provide the entire outputs ( please )

packet-tracer input outside tcp 192.168.3.2 1025 192.168.3.104 80

packet-tracer input outside tcp 192.168.3.2 1025 10.252.254.28 8080

Regards,


Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: