02-06-2020 11:24 PM
Hello everyone,
I have problem to give internet access to a specific host from the ASA, I have a static NAT from host x.x.x.x to the outside interface and I also have an acces-list permit the host x.x.x.x to any ip. But the host still not going to the internet.
Please see the attached pcap for you reference and please help me to figure out what happen.
Thank you,
DM
02-07-2020 01:42 AM
Static NAT to the outside interface will likely not work. Configure a dynamic NAT/PAT for outgoing traffic. This NAT-statement should go to Section 3, "after auto NAT".
02-07-2020 02:11 AM
Hello Karsten,
Thank you for your reply,
I deleted all NAT for this particular rule and I have created a dynamic NAT/PAT but still not going to the internet.
this is the command a used:
nat (Customs,Outside) after-auto source dynamic RemoteGroup_Internet-Access interface
02-07-2020 02:15 AM
What does packet-tracer tell you when simulating a connection?
02-07-2020 02:21 AM
This is the output for the packet tracer:
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaadcffd810, priority=13, domain=capture, deny=false
hits=21355839, user_data=0x2aaadccc62c0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Customs, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad82c9fe0, priority=1, domain=permit, deny=false
hits=754156783, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Customs, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.30.3 using egress ifc Outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Customs_access_in in interface Customs
access-list Customs_access_in extended permit object-group DM_INLINE_SERVICE_45 object-group RemoteGroup_Internet-Access any4
object-group service DM_INLINE_SERVICE_45
group-object Ping
service-object tcp destination eq www
service-object tcp destination eq https
object-group network RemoteGroup_Internet-Access
network-object object Maputo-APN-TEST
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaadd3c4820, priority=13, domain=permit, deny=false
hits=19, user_data=0x2aaae7bcef80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=172.189.10.11, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaea091890, priority=7, domain=conn-set, deny=false
hits=43004879, user_data=0x2aaaea08b1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Customs,Outside) after-auto source dynamic RemoteGroup_Internet-Access interface
Additional Information:
Dynamic translate 172.189.10.11/443 to 10.0.30.1/443
Forward Flow based lookup yields rule:
in id=0x2aaaecade330, priority=6, domain=nat, deny=false
hits=24, user_data=0x2aaadc22e850, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.189.10.11, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=Outside
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac6e87930, priority=1, domain=nat-per-session, deny=true
hits=191613289, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad82d2f00, priority=0, domain=inspect-ip-options, deny=true
hits=59151317, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaea09f4b0, priority=70, domain=inspect-icmp-error, deny=false
hits=39551817, user_data=0x2aaaea097490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any
Phase: 10
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaadb59e9a0, priority=20, domain=lu, deny=false
hits=16725822, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Customs,Outside) after-auto source dynamic RemoteGroup_Internet-Access interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaaddc47a60, priority=6, domain=nat-reverse, deny=false
hits=25, user_data=0x2aaadcd83270, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.189.10.11, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=Outside
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac6e87930, priority=1, domain=nat-per-session, deny=true
hits=191613291, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaad81033c0, priority=0, domain=inspect-ip-options, deny=true
hits=44025294, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 241221054, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.30.3 using egress ifc Outside
Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 001f.a011.9838 hits 201496 reference 6236
Result:
input-interface: Customs
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
02-07-2020 02:41 AM
At least the ASA says it would be allowed and that the right NAT-rule is used. It is likely that the problem is somewhere else.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide