ASA 9.1 - static NAT problem

1johnsmith · ‎12-27-2013

Hi everyone,

I wanted to create a static NAT by following Cisco's documentation for ASA 9.1 firmware. Inside network is using PAT without any issues but ASA is not doing NAT for some internal servers from outside. I tried to troubleshoot but I have nothing else left to check. Can you please look at my config and let me knnow if there is anything wrong? I am trying to use permit all ACL until my config works. Thanks.

ASA Version 9.1(4)

!

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

multicast-routing

!

interface GigabitEthernet0/0

nameif INSIDE

security-level 100

ip address 10.10.1.5 255.255.255.252

ospf message-digest-key 1 md5 *****

ospf authentication message-digest

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 1.4.18.194 255.255.255.192

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name net

same-security-traffic permit intra-interface

object network WEB

host 10.100.2.104

object network RAS

host 10.100.99.2

object network box

host 10.120.1.201

object network inside_network

subnet 10.0.0.0 255.0.0.0

access-list OUTSIDE_IN extended permit icmp any any

access-list OUTSIDE_IN extended permit ip any any

access-list OUTSIDE_IN extended permit gre any any

!

mtu INSIDE 1500

mtu OUTSIDE 1500

ip verify reverse-path interface OUTSIDE

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network WEB

nat (INSIDE,OUTSIDE) static 1.4.18.195

object network RAS

nat (INSIDE,OUTSIDE) static 1.4.18.196

object network box

nat (INSIDE,OUTSIDE) static 1.4.18.198

object network inside_network

nat (INSIDE,OUTSIDE) dynamic interface

access-group OUTSIDE_IN in interface OUTSIDE

!

router ospf 10

router-id 10.10.1.5

network 10.10.1.4 255.255.255.252 area 0

log-adj-changes

default-information originate metric 95

!

dynamic-access-policy-record DfltAccessPolicy

service resetoutside

!

tls-proxy maximum-session 1000

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

inspect icmp

inspect ipsec-pass-thru

inspect mgcp

inspect http

!

service-policy global_policy global

prompt hostname context

Jouni Forss · ‎12-28-2013

Hi,

I would start with testing the NAT that is not working with "packet-tracer" command.

Simulate/Test some connection coming from the public network with the command

packet-tracer input OUTSIDE tcp 1.1.1.1 12345

You did not mention the Static NAT that is not working (unless the problem is with all of them) so insert the correct NAT IP to the above command.

Do you have a default route configured on the ASA at all? I can't see it in the above output atleast.

Have you checked the ASAs routing table? Does it include the source address of the Static NAT that is working? Just wondering if there is a routing problem.

- Jouni

1johnsmith · ‎12-28-2013

Hi Jouni,

yes there is a static route (it is deleted from the config posted by accident) pointing to the outside interface.

Problem is with all of Static NAT entries. I do not have any issues with any internal routing and I can easily ping my outside gateway.

I will try packet-tracer and see what it shows.

Thanks

John

1johnsmith · ‎12-31-2013

Hi,

I've found out after checking with packet tracer, it looks like inbound connection is failing because of rpf-check. how can I make sure that return traffic from servers follow back their original NAT connection?

John

Jouni Forss · ‎12-31-2013

Hi,

The most common reason that the "packet-tracer" might fail with the RPF Check is if you use the actual private IP address as the destination in the "packet-tracer" command.

That or some problems with the NAT configurations but that doesnt seem likely considering your simple NAT configuration.

It would still help to see the actual "packet-tracer" output I suggested originally.

You should be seeing an UN-NAT Phase at the very start of the output which would tell the destination address of the "packet-tracer" matches one of your NAT configurations. Then you should see a ACCESS-LIST Phase which shows an interface ACL allowing the connection.

- Jouni

fb_webuser · ‎12-29-2013

Your internal servers are reachable on a particular port? For instance 80/443?

The NAT statements are fine to me, very basic.

Your access-list is wide open, no problem either.

Try from another internetconnection to telnet to one of your public IP-adresses on a open port 80/443.

---

Posted by WebUser Erik Boss from Cisco Support Community App

1johnsmith · ‎12-29-2013

Hi,

yes my internal servers are reachable, I do not have any other firewall on the servers blocking those ports. I do not think I have any routing or firewall problem. I do not know what I am missing.

Thanks

John