05-20-2017 03:46 AM - edited 03-12-2019 02:23 AM
ASA version 9.6(3)1
both nat have same configuration except 172.16.100.2 use interface, anyone have same question?
this object work fine
object network 172.16.100.3_25_xx2
nat (DMZ,xyz) static 202.175.xx.203 service tcp smtp smtp
this object not work
object network 172.16.100.2_25_xx1
nat (DMZ,xyz) static interface service tcp smtp smtp
Cisco Adaptive Security Appliance Software Version 9.6(3)1
Device Manager Version 7.2(2)1
Compiled on Thu 30-Mar-17 21:40 PDT by builders
System image file is "disk0:/asa963-1-smp-k8.bin"
Config file at boot was "startup-config"
packet-tracer input xyz tcp 8.8.8.8 1024 202.175.xx.202 25
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 202.175.xx.202 using egress ifc identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: xyz
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
# packet-tracer input xyz tcp 8.8.8.8 1024 202.175.xx.203 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.16.100.3_25_xyz
nat (DMZ,xyz) static 202.175.xx.203 service tcp smtp smtp
Additional Information:
NAT divert to egress interface DMZ
Untranslate 202.175.xx.203/25 to 172.16.100.3/25
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group xyz in interface xyz
access-list xyz extended permit tcp any host 172.16.100.3 eq smtp
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,xyz) source dynamic any interface
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 538894, packet dispatched to next module
Result:
input-interface: xyz
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
05-20-2017 03:53 AM
Can you post a "sh nat"
Jon
05-20-2017 06:34 AM
service tcp destination eq smtp
nat (ServerFarm,xyz2) source static object_10.10.120.0 object_10.10.120.0 destination static object_10.10.10.10.0 object_10.10.10.10.0
nat (ServerFarm,xyz1) source static object_10.10.120.0 object_10.10.120.0 destination static object_10.10.10.10.0 object_10.10.10.10.0
nat (Inside,xyz2) source dynamic any interface
nat (DMZ,xyz1) source dynamic any interface
nat (DMZ,xyz2) source dynamic any interface
nat (Inside,Informac) source dynamic any interface
nat (ServerFarm,Informac) source dynamic any interface
nat (WIFI_AP,xyz2) source dynamic any interface
nat (WIFI_AP,xyz1) source dynamic any interface
nat (ServerFarm,xyz1) source dynamic any interface
nat (ServerFarm,xyz2) source dynamic any interface
nat (WIFI_Staff,xyz2) source dynamic any interface
nat (WIFI_Staff,xyz1) source dynamic any interface
nat (WIFI_Guest,xyz2) source dynamic any interface
nat (WIFI_Guest,xyz1) source dynamic any interface
nat (WIFI_Media,xyz2) source dynamic any interface
nat (WIFI_Media,xyz1) source dynamic any interface
nat (CCenter,xyz2) source dynamic any interface
nat (CCenter,xyz1) source dynamic any interface
nat (Inside,xyz1) source dynamic any interface
nat (DMZ,xyz1) static 202.175.xx.203 service tcp smtp smtp
nat (ServerFarm,xyz1) static 202.175.xx.203 service tcp https https
nat (ServerFarm,xyz1) static 202.175.xx.203 service tcp www www
nat (ServerFarm,xyz1) static 202.175.xx.204
nat (ServerFarm,xyz1) static 202.175.xx.205 service tcp https https
nat (ServerFarm,xyz1) static 202.175.xx.205 service tcp www www
nat (DMZ,xyz2) static 182.93.x1.27 service tcp smtp smtp
nat (DMZ,xyz2) static 182.93.x1.28 service tcp smtp smtp
nat (ServerFarm,xyz2) static 182.93.x1.27 service tcp https https
nat (ServerFarm,xyz2) static 182.93.x1.27 service tcp www www
nat (ServerFarm,xyz2) static 182.93.x1.29
nat (DMZ,xyz1) static 202.175.xx.202 service tcp smtp smtp
05-20-2017 06:55 AM
I'm not sure that is the output of "sh nat" ie. it should show the hits etc.
I think the problem is with the order of your NAT rules but I need to see the proper output first.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide