Hi,Try the following commands

SebastianV · ‎07-08-2015

Greetings,

I am scratching my head over the following problem;

Client has an ASA5550 with 1 public ip address + gateway. Client also ordered a /28 public subnet from the provider. This /28 (let's say 6.6.6.64/28) is routed to the ASA.

Configuration:

ASA5550 with SSM, ASA 9.1(4), ASDM 7.4(2)

outside: g1/1.128 (provider uses vlans, don't ask me why), let's say 5.5.5.77/24 with 5.5.5.1 as the gateway.

inside: g1/1, 192.168.1.1/24

Only those interfaces are up since they are connected to other devices.

Challenge: I need to set up nat rules using ip's from the public /28 subnet to inside hosts, for example I need to nat 6.6.6.67 to 192.168.1.6 for RDP.

Actions so far:

I created:

- dmz interface on g1/1.99 (6.6.6.78/28), I used g1/1 since this interface is up. Security level 50.

- network object TESTSRV with static one-to-one nat for 192.168.1.6, translated address 6.6.6.67, source if=inside, dest if=dmz

- network object IP-6.6.6.67 with host 6.6.6.67

- access rule: dmz incoming, source: HOST_OUTSIDE, dest: TESTSRV

- access rule: outside incoming, source: HOST_OUTSIDE, dest: IP-6.6.6.67

Both access rules are triggered. Packet traces show that everything is fine and allowed. TCP connection from HOST_OUTSIDE to TESTSRV is build, but nothing happens after that.

I consider this to be hairpinning on the DMZ interface, but am confused as how to proceed.

Any thoughts greatly appreciated.

prateek.verma · ‎07-08-2015

Hi,

Try the following commands:

no nat (outside,dmz) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static IP-6.6.6.67 IP-6.6.6.67 no-proxy-arp route-lookup
object network IP-6.6.6.67-1
host 6.6.6.67
nat (dmz,outside) static DM_INLINE_NETWORK_5 tcp 3389 3389

Then try to run packet tracer:

packet-tracer input outside tcp 4.2.2.2 1024 192.168.1.6 3389 de

Please paste the output if it doesn't work

Regards,

Prateek Verma

(ASA 9.x) public subnet behind ASA, nat from this subnet to inside host