Re: ASA nat issue

olumidekolawole1 · ‎02-25-2018

ASA Version 9.2(2)4

I am having an issue creating NAT to my web server after following suggested sample from this link.

Here is my config

Webserver:192.168.16.28

Public IP: 80.248.12.189

object network Web
host 192.168.16.28

nat (inside,outside) static 80.248.12.189 service tcp 8080 8080

access-list outside-in extended permit IP any host 192.168.16.28

access-group outside-in in interface outside

I have another web server with similar config above which is working fine.

Please help on this issue, i have tried different config to no avail

Flavio Miranda · ‎02-25-2018

Hi

If you run a packet tracer what is the result?

-If I helped you somehow, please, rate it as useful.-

olumidekolawole1 · ‎02-25-2018

Here is the result of packet tracer

JEE-LAG# packet-tracer input inside tcp 80.248.12.189 8080 192.168.16.28 8080

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.16.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-out in interface inside
access-list inside-out extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6857867, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

JEE-LAG#

olumidekolawole1 · ‎02-25-2018

I have another web server using public IP 80.248.12.183 with similar config with this new one I am trying to create, also on port 8080. Is there any problem using port 8080 for another web server?

Flavio Miranda · ‎02-25-2018

You can't. The firewall need to have different port externally in order to redirect correctly. Internally it is ok to have the same port.

As per the Packet Tracer, everything looks ok in terms of config.

-If I helped you somehow, please, rate it as useful.-

olumidekolawole1 · ‎02-25-2018

Very sorry to border you.

Since I am not with packet tracer command, I am sending you another one with the input being the internal address, thus the packet drop at the end of the result

JEE-LAG# packet-tracer input inside tcp 192.168.16.28 8080 80.248.12.189 8080

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 80.248.12.128 255.255.255.192 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-out in interface inside
access-list inside-out extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network HR
nat (inside,outside) static 80.248.12.189 service tcp 8080 8080
Additional Information:
Static translate 192.168.16.28/8080 to 80.248.12.189/8080

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

JEE-LAG#

Flavio Miranda · ‎02-25-2018

But his flow don't make sense. Why on earth you would like to start a connection from the real IP do the NAT IP.

This would cause a hair pinning situation.

-If I helped you somehow, please, rate it as useful.-