02-22-2018 10:51 AM - edited 02-21-2020 07:24 AM
Hi, I have a 5506-X that was running 9.6 with a simple setup that had a small external switch to bridge the inside, firepower, and our network together.
I upgraded to 9.9(1) and wanted to make use of the new BVI feature and eliminate the external switch.
I setup a BVI with our 192.168.1.0/24 network and then setup interfaces 2, 7, and 8 as part of the bridge group and hooked it all up.
Everything is working and communicating fine except for one thing: the NAT rule to RDP into our inside-server no longer works.
When I test the internal port (3389) from inside it shows listening but when i test the external port from outside (33320) it shows filtered.
When i test from outside, I get a log "Routing failed to locate next hop for TCP from outside:x.x.x.x/12345 to int.1:y.y.y.y/33320", it gives a packet dropped "No valid adjacency".
What's weird is that egress interface "int.1" is correct but the y.y.y.y/33320 is my outside IP and the external port when it should be the IP and port of my inside-server.
It's as if it's trying to send it back out the default route because it can't find the internal route.
Yet my ARP table shows the inside-server with the correct IP and MAC sitting there.
What's interesting is that when i use the packet trace, the Un-Nat matches the correct rule, and shows "NAT divert to egress interface int.1 Untranslate y.y.y.y/33320 to 192.168.1.20/3389" and that's exactly correct.
Frustrated,
Scott
:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(1)
!
hostname ciscoasa
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif int.1-2
security-level 100
!
interface GigabitEthernet1/3
bridge-group 99
nameif wifi.99-3
security-level 100
!
interface GigabitEthernet1/4
bridge-group 99
nameif wifi.99-4
security-level 100
!
interface GigabitEthernet1/5
bridge-group 99
nameif wifi.99-5
security-level 100
!
interface GigabitEthernet1/6
shutdown
nameif dmz.6
security-level 50
ip address 192.168.6.1 255.255.255.0
!
interface GigabitEthernet1/7
bridge-group 1
nameif int.1-7
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif int.1-8
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif int.1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI99
nameif wifi.99
security-level 100
ip address 192.168.99.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network public_ip
host y.y.y.y
object network inside-server
host 192.168.1.20
object service RDP-33320
service tcp destination eq 33320
object service RDP-3389
service tcp destination eq 3389
access-list outside_access_in_1 extended permit object RDP-3389 any object sc0tt-pc log emergencies
nat (outside,any) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in_1 in interface outside
Solved! Go to Solution.
02-22-2018 06:32 PM
HI
Although everything looks strait, I ´d change this statement "nat (outside,any)" and I´d actually put the destination interface here instead any.
-If I helped you somehow, please, rate it as useful.-
02-22-2018 06:32 PM
HI
Although everything looks strait, I ´d change this statement "nat (outside,any)" and I´d actually put the destination interface here instead any.
-If I helped you somehow, please, rate it as useful.-
02-24-2018 10:25 AM
03-22-2018 08:34 AM
I believe I am being impacted by this gap in functionality as well.
Please Cisco fix this issue with the bvi and NAT statements.
02-23-2018 02:15 AM - edited 02-27-2018 02:06 AM
03-23-2018 01:42 AM
I have a question/curiosity: what's the logic of using nameif for the physical interfaces part of one bridge group?
My understanding is that all those interfaces part of bridge group act as L2 interfaces while nameif should be ON for any L3 interfaces where intervlan_routing and firewall_access is being used.
03-24-2018 04:13 PM
They do, all interfaces that are part of a bridge group receive copies of all traffic on each of the interfaces including broadcasts. BUT, when setting up NAT rules, they must be duplicated for each physical interface. IMHO the physical interfaces that are part of a bridge group should not have nameifs and they should never be addressed directly in any rules of any kind - rather, only the bridge-group name should be used. Consider that if you used only one physical interface, but then added a small switch to it like we've always had to - then you would not have to repeat the NAT rules. This is a bug or over site imho.
04-03-2018 06:39 AM
Hi Scott,
With respect the NAT statements I'm seeing the same behavior. However in addition to having to configure a series of NAT statements for each port, I'm also running into the behavior that wants the correct physical nameif and correct inside HOST IP combination ( I'm using DNATs) to be the first in the series of statements or it doesn't work.
Just wondering if you are able to confirm that additional behavior as well?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide