04-11-2013 01:30 PM - edited 03-11-2019 06:27 PM
Hello
Basically after upgrade from ASA 8.4 to 9.0 (2) I have problems when certain types of NAT.
Example:
ASA 8.4:
nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http
In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http while other ports can be accessed using the original IP (10.252.253.123).
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ASA 9.0:
nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http
In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http but unlike before now I can not access to the original IP (10.252.253.123) using another port or ping from host 192.168.3.2.
Any ideas on how I can fix this will be appreciated.
Sorry for my English is not my native language.
04-11-2013 03:15 PM
Hello Jose,
the nat commands you type there are not valid, incorrect syntax, can you try it one more time,
04-11-2013 04:18 PM
Hello Jose,
Your NAT should be something like:
nat (LAN,outside) source static 192.168.3.2 192.168.3.104 destination static any any service http http
So 192.168.3.2 is NATed to 192.168.3.104 when destination port is 80
You can use the packet tracer command to see which NAT rule you are hitting:
packet in incoming_interface tcp source_ip 1025 destination_IP 80
You need to check on your configuration the NAT rules you have since the ones you posted are not correct.
Then explain what is exactly the problem.
Regards,
Felipe.
04-12-2013 11:33 AM
Thank very much to both
The command was wrong because the translator that i used change the syntax and I did not realize.
The correct command is:
nat (LAN,outside) 85 source static 10.252.253.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http
The nat itself works well, host1 uses the mapped ip (192.168.3.104) to access to the port 80 without any problem but after setting this nat host1 cannot access to the original server ip address using any other port or ping.
host1 ip address= 192.168.3.2
Original server ip address = 10.252.253.28
Nated server ip address = 192.168.3.104
04-12-2013 12:25 PM
Hello Jose Alan,
let's see that
can you paste:
packet-tracer input LAN tcp 10.252.253.28 1025 192.168.3.2 80
That is what you are looking for
04-12-2013 01:10 PM
Hello Julio,
Thanks for your time
Here is:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Apparently drop the package due to lack of routes but the destination network is directly connected.
If I delete the nat this is the output:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN_access_in in interface LAN
access-list LAN_access_in extended permit ip object-group NET-ADM any4
access-list LAN_access_in remark XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
object-group network NET-ADM
description: xxxxxxxxxxxxxxxxxxxxxx
network-object host 10.252.253.28
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,outside) source static any any unidirectional
Additional Information:
Static translate 10.252.253.28/1025 to 10.252.253.28/1025
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,outside) source static any any unidirectional
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 808, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
04-12-2013 01:14 PM
Hello Jose,
good post interesting results,
can you share the entire asa configuration with the NAT with a show route as well>
04-12-2013 07:30 PM
Julio,
In a test environment I upgrade from version 9.0 (2) to 9.1(1)4 and also remove all settings from the configuration leaving just the enough to test the NAT but the behavior is the same.
This is the complete actual configuration:
ASA Version 9.1(1)4
!
hostname ASATEST
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif LAN
security-level 0
ip address 10.252.254.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa911-4-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
object network 10.252.254.28
host 10.252.254.28
object network 192.168.3.104
host 192.168.3.104
object network 192.168.3.2
host 192.168.3.2
object service ftp
service tcp source eq ftp
access-list ANY extended permit ip any4 any4
pager lines 24
logging enable
logging asdm informational
mtu LAN 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http
access-group ANY in interface LAN
access-group ANY in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.252.254.28 255.255.255.255 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 10.252.254.28 255.255.255.255 LAN
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username jdelpino password xxxxxxx encrypted privilege 15
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0e5d8be6f25f180223f5c1beee7fc0c6
: end
Thanks again for the help
04-13-2013 12:10 AM
Hello Jose,
Hey man my pleasure to help.
I need the following info:
1) I do not see the object-service http on the configuration, why is that? May I have it?
2) All your traffic is being routed to that same device 3.2? is that expected?
route outside 0.0.0.0 0.0.0.0 192.168.3.2 1
04-13-2013 11:30 AM
Hello Julio,
1) Sorry for this, I must have accidentally deleted when paste the config
object service http
service tcp source eq http
2)
In my test environment I have a router connected to the outside interface of the ASA and sometimes I create loobacks interfaces on the router to simulate external networks for this reason the default route but in this case it is not necessary so I can remove it without any problem.
Server-------------------------------ASA-----------------------------Router
10.252.253.28 253.1 3.1 192.168.3.2
04-13-2013 01:31 PM
Hello Jose,
First error:
The object service HTTP should be destination not source
change that,
clear the xlate table and perform the packet tracer again, post the results
Remember to rate all of the helpful posts, as important as a thanks man
regards
04-13-2013 07:15 PM
Hello Julio,
I think I do not expressed myself correctly because of my poor english and the problem was not understood.
Basically what I need is that if a user wants to access to the server A web page (tcp/80) has to make the request to the nated server ip address (192.168.3.104) but if the same user wants to access to any other service of the server A for example remote desktop (tcp/3389), ssh (tcp/22), ping, etc has to make the request to the original server ip address 10.252.253.28.
User ip address = 192.168.3.2
Nated server ip address = 192.168.3.104
Original server ip address = 10.252.253.28
In ASA 8.4 this works well:
nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http
By doing this the user accessed the website making the request to the nated ip address 192.168.3.104 and for any other service make the request to the original server ip address 10.252.253.28 but in ASA 9.1(1)4 once I configure the nat any communication between the user and the server original ip address 10.252.253.28 is cut.
Please let me know if I am not clear with my explanation of the problem.
04-14-2013 12:44 AM
Hello Jose,
Yeah, I think I got it know but if that is the casea you do not need to use any destination keyword
no nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http
nat (LAN,outside) source static 10.252.254.28 192.168.3.104 service http http
Then do the following and provide the entire outputs ( please )
packet-tracer input outside tcp 192.168.3.2 1025 192.168.3.104 80
packet-tracer input outside tcp 192.168.3.2 1025 10.252.254.28 8080
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide