cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3583
Views
5
Helpful
4
Replies

ASA 8.4(1) PAT not working

karblane1
Level 1
Level 1

Hey!

I have a problem with ASA FW, the static nat is working, but the PAT is not. All the nat configuration is done by the book:

object network clitest

subnet 192.168.211.0 255.255.255.0

nat (PROD-VOIP,outside) dynamic x.y.z.61

object network natitest

host 192.168.211.2

nat (any,outside) static v2line_progr_59

As i stated before, the static nat is working, but the dynamic isn't, here is the packettracer output:

(packet-tracer input PROD-VOIP rawip 192.168.210.2 22 81.211.22.2)

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PROD-VOIP_access_in in interface PROD-VOIP

access-list PROD-VOIP_access_in extended permit ip any any log debugging

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: DROP

Config:

object network test

nat (PROD-VOIP,outside) dynamic x.y.z.61

Additional Information:

Result:

input-interface: PROD-VOIP

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I have also tried changeing the x.y.z to the outside interface:

nat (PROD-VOIP,outside) dynamic interface

and to other objects but nothing seems to be helping.

Any Ideas?

1 Accepted Solution

Accepted Solutions

Hi,

I had a closer look at the packet-tracer command you were using, and I saw that you were using Ip protocol number 22.

The protocol according to http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers is XNS-IDP, which may not support Port numbers and thus cannot be PAT. However, you can do a static 1-to-1 nat, because only the IP address needs to be changed in that NAT rule.

If you try a packet-tracer for tcp, udp or icmp,(which should hit the dynamic PAT rule) you should see them succeed.

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

4 Replies 4

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hey,

I think the 2nd NAT rule you have, is interfering with the NAT process.

Having the source interface as "any" doesn't really make sense, and is known to cause problems with NAT.

Please try the same thing with this configuration:

object network clitest

subnet 192.168.211.0 255.255.255.0

nat (PROD-VOIP,outside) dynamic x.y.z.61

object network natitest

host 192.168.211.2

nat (PROD-VOIP,outside) static v2line_progr_59

(assuming 192.168.211.2 is off PROD-VOIP)

Also, I think its a typo over here, but the packet-tracer you ran, was with 192.168.210.. and rules were for .211.

However, I assume you get the same result with matching rules and packet-tracer.

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks

Thanks for the feedback, i changed the configuration like You told, but no luck.

Output from packet-tracker for static nat, which is working:

packet-tracer input inside rawip 192.168.211.2 22 88.77.66.55

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PUB-Wifi_access_in in interface inside

access-list PUB-Wifi_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network natitest

nat (inside,outside) static v2line_progr_59

Additional Information:

Static translate 192.168.211.2/0 to x.y.z.59/0

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1500, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

But the dynamic NAT is still not working:

packet-tracer input inside rawip 192.168.211.3 22 88.77.66.55

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PUB-Wifi_access_in in interface inside

access-list PUB-Wifi_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: DROP

Config:

object network clitest

nat (inside,outside) dynamic x.y.z.61

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The inside and outside interfaces are also correct ( i changed the configuration a bit from last time).

Log entry:

7|Jun 14 2011 18:22:19|609001: Built local-host inside:192.168.211.3

7|Jun 14 2011 18:22:19|609001: Built local-host outside:33.44.55.66

3|Jun 14 2011 18:22:19|305006: regular translation creation failed for protocol

23 src inside:192.168.211.3 dst outside:33.44.55.66

7|Jun 14 2011 18:22:19|609002: Teardown local-host inside:192.168.211.3 duration

0:00:00

7|Jun 14 2011 18:22:19|609002: Teardown local-host outside:33.44.55.66 duration

0:00:00

5|Jun 14 2011 18:22:21|111008: User 'enable_15' executed the 'packet-tracer inpu

t inside rawip 192.168.211.3 23 33.44.55.66' command.

Any ideas?

Hi,

I had a closer look at the packet-tracer command you were using, and I saw that you were using Ip protocol number 22.

The protocol according to http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers is XNS-IDP, which may not support Port numbers and thus cannot be PAT. However, you can do a static 1-to-1 nat, because only the IP address needs to be changed in that NAT rule.

If you try a packet-tracer for tcp, udp or icmp,(which should hit the dynamic PAT rule) you should see them succeed.

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

packet-tracer input inside rawip 192.168.211.3 80 44.55.66.77

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PUB-Wifi_access_in in interface inside

access-list PUB-Wifi_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: DROP

Config:

object network clitest

nat (inside,outside) dynamic x.y.z.61

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

so then i tried the TCP approach:

packet-tracer input inside tcp 192.168.211.3 20441 120.120.120.120 120

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PUB-Wifi_access_in in interface inside

access-list PUB-Wifi_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network clitest

nat (inside,outside) dynamic 81.20.146.61

Additional Information:

Dynamic translate 192.168.211.3/20441 to x.y.z.61/16848

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1602, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

So it seems that the problem was that I used the packet-tracker incorrectly

Review Cisco Networking for a $25 gift card