05-27-2020 06:41 AM
i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the outside interface of the Fortigate. any suggestions ?
Solved! Go to Solution.
06-01-2020 04:25 AM
sorted,
just re-added the NAT statement at the top of the all NAT rules and its worked.
1 (OUTSIDE) to (any) source static any any destination static Fortigate-IP CD-BFS-NORTHW
thanks all for your help
05-27-2020 02:45 PM
Hi,
could you post your NAT and routing configuration.
Thanks
05-28-2020 02:23 AM
05-28-2020 01:03 PM
If the following is correct: * the rules on the outside interface to allow traffic from any to Fortigate-IP on ICMP,http, https
Then this is the issue. You need to change this access rule to be towards CD-BFS-NORTH.
05-29-2020 01:28 AM
Hi,
Thanks for the reply.
that's why I called my enquiry "ASA NATing doesn't seem to work".
when I change the destination in the rule to CD-BFS-NORTH , the traffic denied by ACL.
I have attached packet tracer for the rules when the destination CD-BFS-NORTH and Fortigate-IP.
my understanding that the ASA should first check the NAT before the interface ACL , but that doesn't seem to happen.
Can someone advise ?
05-29-2020 02:26 AM
Hi,
What version of ASA code are you running?
05-29-2020 03:15 AM
its 9.1(7)13
05-29-2020 04:10 AM
Is there a reason you are using twice NAT for this? Also, it is always a good practice to specify which interfaces you are NATing between and do not use the any keyword for interface selection. I would suggest changing the NAT to something like the following (change the interface names if needed):
nat (INSIDE,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
05-29-2020 04:20 AM
Hi Marius,
thanks so much for the reply
there is no particular reason to do the twice NAT , I was just trying everything to make it work.
the command line you have suggested is already there:
(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
Regards,
05-29-2020 05:37 AM
Could you post a full running configuration for your ASA (remember to remove any public IPs, usernames and passwords).
05-29-2020 05:55 AM
Hi Marius,
thanks for you help so far
this firewall is old one and the configuration file is very big, hiding all the secure info will take long time, I am more than happy to share the config partially, like show run interface , show run nat ..etc.
Regards
05-29-2020 06:53 AM
Without seeing more config it's hard to 100% diagnose but it just looks like you have your NAT commands around the wrong way, because you're stating outside>any and not the other way around. I would suggest removing the twice NAT and just adding a rule for this server such as the one you've already mentioned, assuming that the Fortigate is behind the EVL_VPN interface.
(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
Run packet-tracer again and see if this NAT rule is hit. If you want to try it another way try changing your other rule around:
42 (OUTSIDE) to (<ZONE THAT CONTAINS FORTIGATE>) source static any any destination static CD-BFS-NORTH Fortigate-IP no-proxy-arp
05-29-2020 07:30 AM
Could you please provide the output of the following commands:
show run nat | include CD-BFS-NORTH
show run access-list | include CD-BFS-NORTH !(If you are using IPs instead of objects replace with IP)
Also, provide a brief description / diagram of your network and where the IPs are located that you are trying to NAT.
05-29-2020 07:58 AM
05-29-2020 09:31 AM
You still have twice NAT configured...unless this is the one you have removed.
nat (OUTSIDE,any) source static any any destination static Fortigate-IP CD-BFS-NORTH object network CD-BFS-NORTHW
I suggest removing this and replacing it with the command I provided earlier.
nat (EPL_VPN,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
It is a better practice to NAT from the inside to the outside unless there is a very specific reason for you to NAT from the outside.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: