cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
1
Replies

Static NAT to backend network

Freddy Andersen
Level 1
Level 1

I have this setup:

outside <-> [ASA] <-> inside (10.21.30.0/23) <-> [router] <-> inside2 (10.21.40.0/23)

I added this:

static (inside,outside) tcp 1.2.3.180 www 10.21.41.100 www netmask 255.255.255.255

access-list main_acl extended permit ip any host 10.21.41.100

route inside 10.21.40.0 255.255.254.0 10.21.31.1 1

I'm able to ping from asa to 10.21.41.100 and back to the asa from this box. So route works.

But If I'm outside and telnet 1.2.3.180 80 it does not work. (changing the rule to a host on 10.21.30.0/23 network works fine so its a route issue)

packet-tracer DROPS here:

tpfw01# packet-tracer input outside tcp 4.4.4.4 80 10.21.41.100 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.21.40.0      255.255.254.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group main_acl in interface outside

access-list main_acl extended permit ip any host 10.21.41.100

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,outside) tcp 1.2.3.180 www 10.21.41.100 www netmask 255.255.255.255

  match tcp inside host 10.21.41.100 eq 80 outside any

    static translation to 1.2.3.180/80

    translate_hits = 0, untranslate_hits = 3

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

To me it seems you are opening the traffic to the Real IP address rather than the NAT IP address which should be used.

  • If you are running ASA software 8.2 or below/older, you will need to use the NAT IP addresses as the destination address when you make ACL rules
  • If you are running ASA software 8.3 or higher/newer, you will need to use the Real IP addresses as the destination address when you make ACL rules

So in your above case the ACL should rather be the following

access-list main_acl permit tcp any host 1.2.3.180 eq 80

Also your "packet-tracer" destination IP address should be the NAT IP address rather than the Real IP address. This is why the "packet-tracer" fails.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: