Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
2
Replies

ASA post-8.3 static PAT trouble

jer0nim0x
Level 1
Level 1

‎12-05-2015 09:46 AM - edited ‎03-12-2019 12:00 AM

Hey community,

I am failing at a seemingly simple task.

The goal is to forward two different udp ports 1195 and 1196 from the outside address of the ASA to two different hosts on the inside but on the same port. These are the addresses used in this example:

  • ASA Internet 192.168.1.99/24
  • ASA DMZ 172.16.0.1/24

Here is the relevant part of the config for one inside host:

object network VPN2
 host 172.16.0.66 
 nat (DMZ,Internet) static interface service udp 1194 1195

object service VPN
 service udp destination eq 1194

access-list Internet_access_in_1 extended permit object VPN any object VPN2
access-list Internet_access_in_1 extended deny ip any any

The questions are:

  • What is the correct way to use packet tracer in this case?
  • What is the correct destination port to use in the ACL in this case?

Experiments:

Using packet-tracer input internet udp 8.8.8.8 1234 172.16.0.66 1194 (inside IP/port) I get

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network VPN2
 nat (DMZ,Internet) static interface service udp 1194 1195
Additional Information:

Using packet-tracer input internet udp 8.8.8.8 1234 192.168.1.99 1195 (outside IP/port) I obviously get

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

In any case, packets are currently hitting the firewall on the Internet(outside) interface on udp port 1195 but they aren't seen inside. show nat detail:

  (DMZ) to (Internet) source static VPN2 interface   service udp 1194 1195
     translate_hits = 0, untranslate_hits = 0
     Source - Origin: 172.16.0.66/32, Translated: 192.168.1.99/24
     Service - Protocol: udp Real: 1194 Mapped: 1195

Now what is making me crazy in addition, if I add port 1195 to the access list, the following invocation of packet tracer accepts the traffic:

packet-tracer input internet tcp 8.8.8.8 1234 172.16.0.66 1195

That's the inside IP but the outside port? Whuuuut???

Thanks for any input you may have :(

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎12-05-2015 12:16 PM

Which software-version are you using? Sounds like a bug.

It should be used in the following way:

  • ACL uses real IP and real port
  • Packet-tracer uses IP and port as it enters the outside interface.

Example:

object network TEST-10.255.192.100
 host 10.255.192.100
 nat (inside,outside) static interface service udp 1194 1195
!
access-list OUTSIDE-ACCESS-IN extended permit udp any object TEST-10.255.192.100 eq 1194
asa-md(config)# packet-tracer input outside udp 1.2.3.4 1234 192.0.2.10 1195
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network TEST-10.255.192.100
 nat (inside,outside) static interface service udp 1194 1195
Additional Information:
NAT divert to egress interface inside
Untranslate 192.0.2.10/1195 to 10.255.192.100/1194
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.0.2.1 using egress ifc outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE-ACCESS-IN in interface outside
access-list OUTSIDE-ACCESS-IN extended permit udp any object TEST-10.255.192.100 eq 1194
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
 set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) after-auto source dynamic any interface
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
 user-statistics accounting
 sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network TEST-10.255.192.100
 nat (inside,outside) static interface service udp 1194 1195
Additional Information:
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 16
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 17
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 365912, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
0 Helpful

jer0nim0x
Level 1
Level 1
In response to Karsten Iwen

‎12-05-2015 02:18 PM

Thanks for your input man.

Crap, there was a manual Dynamic PAT (hide) to any in section 1.

Moved it to after-auto. Argh.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card