Solved: Hi Vince,

Vince · ‎01-24-2016

Noob here. I am having problem configuring ASA to statically nat a server on dmz directly to an outside interface on port 80. I was able to successfully nat it using another IP address (12.12.12.5) but not if I used outside ip (12.12.12.2). Here's a snippet of my configuration:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.248
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.5 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0

object network SVR-WEBSERVER-IN
host 172.16.1.100

object network SVR-WEBSERVER-IN
nat (any,outside) static interface service tcp www www

access-list outside_access_in extended permit tcp any object SVR-WEBSERVER-IN eq www

access-group outside_access_in in interface outside
!

I am getting the following error:

ASA-3-710003: {TCP|UDP} access denied by ACL from
source_IP/source_port to interface_name:dest_IP/service

I'm believe it's an acl problem but I cannot seem to figure out where. I'm not that familiar with ASA and I'm just on the process of learning it. Hope someone can shed a light

Shivapramod M · ‎01-24-2016

Hi Vince,

Remove the object NAT and create a manual NAT at the top. This should resolve the issue. below are changes you need to do.

object network SVR-WEBSERVER-IN

no nat (dmz,outside) static interface service tcp www www

object service www-80
service tcp source eq www

nat (dmz,outside) 1 source static SVR-WEBSERVER-IN interface service www-80 www-80

Make sure this particular NAT rule is above the "nat (inside,outside) source dynamic any interface"

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

View solution in original post

Akshay Rastogi · ‎01-24-2016

Hi Vince,

Could you please try with using the 'dmz' keyword instead of 'any' in the NAT statement and see if that works.

Also try the below packet-tracer :

'packet-tracer input outside tcp 8.8.8.8 12345 12.12.12.2 80 detail' and see where the packet is dropped. Also share the output here.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Vince · ‎01-24-2016

Hi Akshay,

I changed any to dmz but I'm still having the same problem.

Here's the result of packet-tracer:

packet-tracer input outside tcp 8.8.8.8 12345 12.12.12.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 12.12.12.2 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc14ef80, priority=0, domain=permit, deny=true
hits=31, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I don't understand why it is not hitting my acl and goes to the implicit deny rule

Richard Burts · ‎01-24-2016

My guess is that it is not hitting the acl because the translation is not working as you expect it to. Please post current config of interfaces, acl, and translation.

HTH

Rick

HTH

Rick

Vince · ‎01-24-2016

here's a snippet of my configuration (Please note that I'm usually using asdm for configuration):

hostname GTWY-001

names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.248
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.5 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!

object service SVC-WEB
service tcp source eq www destination eq www
object network MANAGER
host 13.13.13.2
object network WWW-SERVER
host 172.16.1.100
object network SVR-WEBSERVER-IN
host 172.16.1.100
object network SVR-WEBSERVER-OUT
host 12.12.12.5
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any host 172.16.1.100 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network SVR-WEBSERVER-IN
nat (dmz,outside) static interface service tcp www www
access-group outside_access_in in interface outside
!
router ospf 1
network 172.16.1.0 255.255.255.0 area 1
network 192.168.100.0 255.255.255.0 area 0
log-adj-changes
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1

here's my show xlate:

1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from dmz:172.16.1.100 80-80 to outside:12.12.12.2 80-80
flags sr idle 0:05:56 timeout 0:00:00

I also did try inserting another acl (one with outside as destination) but it didn't help

Richard Burts · ‎01-24-2016

Thank you for the additional information. Is there anything else in the config that deals with the DMZ interface?

I would suggest that you remove this

object network SVR-WEBSERVER-IN
nat (dmz,outside) static interface service tcp www www

and replace it with this

object network SVR-WEBSERVER-IN
nat (dmz,outside) static 12.12.12.2 service tcp www www

HTH

Rick

HTH

Rick

Vince · ‎01-24-2016

I am getting the following error when changing the interface to 12.12.12.2

ERROR: Address 12.12.12.2 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

There are no acl on dmz and the only dmz related configuration that I have added (at least I am aware of) is the nating

Shivapramod M · ‎01-24-2016

Hi Vince,

Remove the object NAT and create a manual NAT at the top. This should resolve the issue. below are changes you need to do.

object network SVR-WEBSERVER-IN

no nat (dmz,outside) static interface service tcp www www

object service www-80
service tcp source eq www

nat (dmz,outside) 1 source static SVR-WEBSERVER-IN interface service www-80 www-80

Make sure this particular NAT rule is above the "nat (inside,outside) source dynamic any interface"

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Vince · ‎01-24-2016

Hi Shivapramod,

I made the necessary changes and voila! I did the same config before I tried the object nat. The only difference is the service object (www-80) on which I put 80 on both source and destination port. I guess that's why it did not work.

I'm curious though, does nating to outside interface requires manual NAT or can this be done using object nat as well?

Thanks to everyone for the help!

Shivapramod M · ‎01-25-2016

Hi Vince,

The problem is due to dynamic PAT associated with the interface. if you were not had the NAT rule "nat (inside,outside) source dynamic any interface" it would have worked with the object NAT.

Thanks,
Shivapramod M

Vince · ‎01-25-2016

You're right. Tried puttin my object nat back and I put it on the top and it work like it's suppose to. Thanks again!

ASA problem - I cannot nat to outside interface