05-27-2020 06:41 AM
i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the outside interface of the Fortigate. any suggestions ?
Solved! Go to Solution.
06-01-2020 04:25 AM
sorted,
just re-added the NAT statement at the top of the all NAT rules and its worked.
1 (OUTSIDE) to (any) source static any any destination static Fortigate-IP CD-BFS-NORTHW
thanks all for your help
05-27-2020 02:45 PM
Hi,
could you post your NAT and routing configuration.
Thanks
05-28-2020 02:23 AM
05-28-2020 01:03 PM
If the following is correct: * the rules on the outside interface to allow traffic from any to Fortigate-IP on ICMP,http, https
Then this is the issue. You need to change this access rule to be towards CD-BFS-NORTH.
05-29-2020 01:28 AM
Hi,
Thanks for the reply.
that's why I called my enquiry "ASA NATing doesn't seem to work".
when I change the destination in the rule to CD-BFS-NORTH , the traffic denied by ACL.
I have attached packet tracer for the rules when the destination CD-BFS-NORTH and Fortigate-IP.
my understanding that the ASA should first check the NAT before the interface ACL , but that doesn't seem to happen.
Can someone advise ?
05-29-2020 02:26 AM
Hi,
What version of ASA code are you running?
05-29-2020 03:15 AM
its 9.1(7)13
05-29-2020 04:10 AM
Is there a reason you are using twice NAT for this? Also, it is always a good practice to specify which interfaces you are NATing between and do not use the any keyword for interface selection. I would suggest changing the NAT to something like the following (change the interface names if needed):
nat (INSIDE,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
05-29-2020 04:20 AM
Hi Marius,
thanks so much for the reply
there is no particular reason to do the twice NAT , I was just trying everything to make it work.
the command line you have suggested is already there:
(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
Regards,
05-29-2020 05:37 AM
Could you post a full running configuration for your ASA (remember to remove any public IPs, usernames and passwords).
05-29-2020 05:55 AM
Hi Marius,
thanks for you help so far
this firewall is old one and the configuration file is very big, hiding all the secure info will take long time, I am more than happy to share the config partially, like show run interface , show run nat ..etc.
Regards
05-29-2020 06:53 AM
Without seeing more config it's hard to 100% diagnose but it just looks like you have your NAT commands around the wrong way, because you're stating outside>any and not the other way around. I would suggest removing the twice NAT and just adding a rule for this server such as the one you've already mentioned, assuming that the Fortigate is behind the EVL_VPN interface.
(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
Run packet-tracer again and see if this NAT rule is hit. If you want to try it another way try changing your other rule around:
42 (OUTSIDE) to (<ZONE THAT CONTAINS FORTIGATE>) source static any any destination static CD-BFS-NORTH Fortigate-IP no-proxy-arp
05-29-2020 07:30 AM
Could you please provide the output of the following commands:
show run nat | include CD-BFS-NORTH
show run access-list | include CD-BFS-NORTH !(If you are using IPs instead of objects replace with IP)
Also, provide a brief description / diagram of your network and where the IPs are located that you are trying to NAT.
05-29-2020 07:58 AM
05-29-2020 09:31 AM
You still have twice NAT configured...unless this is the one you have removed.
nat (OUTSIDE,any) source static any any destination static Fortigate-IP CD-BFS-NORTH object network CD-BFS-NORTHW
I suggest removing this and replacing it with the command I provided earlier.
nat (EPL_VPN,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
It is a better practice to NAT from the inside to the outside unless there is a very specific reason for you to NAT from the outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide