Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
2
Replies

Another NAT Port Forward question

Mikael Gustafsson
Level 5
Level 5

‎01-20-2013 12:33 PM - edited ‎03-11-2019 05:49 PM

Hi,

Im trying to do a normal port forward on a ASA 5505 with 9.1(1) and it is not working as it should.

There are two ports that I want to forward, TCP 32000 and TCP 32001, from the outside interface.

First I tried a Auto NAT that gave rpf-check drop.

object network SRV



 host 192.168.50.4



 nat (inside,Outside) static interface service 32000 32000

And now Im trying to do a policy NAT with the same result.

nat (Outside,inside) source static any any destination static interface H192.168.50.4 service DC_TCL DC_TCL

Here are some of the config,

ASA# sh run object
object network N-192.168.50.0
 subnet 192.168.50.0 255.255.255.0
object network H-192.168.50.4
 host 192.168.50.4
object service DC_TCP
 service tcp destination eq 32000 
object service DC_TCL
 service tcp destination eq 32001 
object network H192.168.50.4
 host 192.168.50.4
object-group service DM_INLINE_SERVICE_1
 service-object object DC_TCP 
 service-object object DC_TCL 
ASA# sh run nat
nat (Outside,inside) source static any any destination static interface H192.168.50.4 service DC_TCL DC_TCL
nat (Outside,inside) source static any any destination static interface H192.168.50.4 service DC_TCP DC_TCP
!
object network N-192.168.50.0
 nat (inside,Outside) dynamic interface

ASA# sh run access-list                
access-list global_access extended permit ip object N-192.168.50.0 any4 
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any4 host 192.168.50.4

A packet-tracer output

ASA#packet-tracer input outside tcp 55.55.1.2 11225 192.168.50.4 32000 de$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.50.0    255.255.255.0   inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any4 host 192.168.50.4 
object-group service DM_INLINE_SERVICE_1
 service-object object DC_TCP 
 service-object object DC_TCL 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacf82570, priority=12, domain=permit, deny=false
        hits=3, user_data=0xaa90c580, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.50.4, mask=255.255.255.255, port=32000, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacc765a0, priority=1, domain=nat-per-session, deny=true
        hits=1270881, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacd7fd80, priority=0, domain=inspect-ip-options, deny=true
        hits=1081664, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Outside, output_ifc=any
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Outside,inside) source static any any destination static interface H192.168.50.4 service DC_TCP DC_TCP
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xae1f74d8, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0xacf64560, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.50.4, mask=255.255.255.255, port=32000, tag=0 dscp=0x0
        input_ifc=Outside, output_ifc=inside
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA# sh xl    
309 in use, 1304 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from Outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
    flags srIT idle 0:42:04 timeout 0:00:00
TCP PAT from inside:192.168.50.4 32001-32001 to Outside:217.208.xxx.xxx 32001-32001
    flags srT idle 0:42:04 timeout 0:00:00
TCP PAT from Outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
    flags srIT idle 0:41:43 timeout 0:00:00
TCP PAT from inside:192.168.50.4 32000-32000 to Outside:217.208.xxx.xxx 32000-32000
    flags srT idle 0:41:43 timeout 0:00:00

And I'm stuck here. I have tried diffrent configurations on this for several hours now and I cant get it to work.

Could this be asymetric NAT with the dynamic rule?

How can I troubleshoot this in a smart way?

Glad on any help.  :-)

Regards

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-20-2013 01:00 PM

Hi,

There arent that many reason this wouldnt work.

I would suggest removing all NAT configurations related to the this situation and only configuring the following

object network STATIC-TCP32000

host 192.168.50.4

nat (inside,outside) static interface service tcp 32000 32000

object network STATIC-TCP32001

host 192.168.50.4

nat (inside,outside) static interface service tcp 32001 32001

access-list global_access permit tcp object STATIC-TCP32000 eq 32000

access-list global_access permit tcp object STATIC-TCP32001 eq 32001

I see that you are using global ACL. This is nothing I would recommend personally to anyone, though this naturally doesnt make it a bad idea for everyone. I am just more used to using interface specific rules.

I would suggest using the above type configurations for Port Forward configurations instead of the ones you are using now. When using "any" keyword in the configurations it usually might have the negative effect of applying to more traffic than you want it to. I would therefore suggest avoiding it as much as possible.

Also regarding the "packet-tracer" command you used. Dont use the real IP address of the local server in the packet-tracer command. Use the actual NAT IP there.

When you do the "packet-tracer" with the NAT IP address you should see an "UN-NAT" phase among the very first.

Can you try the above changes and perhaps do the "packet-tracer" again and provide the new output here?

- Jouni

0 Helpful

Mikael Gustafsson
Level 5
Level 5
In response to Jouni Forss

‎01-28-2013 03:39 AM

Hi Jouni,

I did some testing this weekend but did not have time to finish. I'll post an update after testing some more.

Regards

M

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card