03-02-2012 03:20 AM - edited 03-11-2019 03:37 PM
hi all,
I have some issues with Twin PAT on ASA (8.4.2), there is sth I dont udnerstand
FTP server is on the inside and client is in outside.
I did sth like this
object network NATED-11
host 20.20.20.11
object network REAL-2
host 10.200.200.2
object service SRV-FTP
service tcp destination eq ftp
nat (outside,inside) source static any any destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP
so teoretically there should be a problem in NAT cause there is a second channel for data etc. BUT according to docs
"For applications that require application inspection for secondary channels (for example, FTP and VoIP),
the ASA automatically translates the secondary ports."
The problem is that it doesn't work at all and got the syslogs
Debug on ASA shows
ASA5510(config)# nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: translation - outside:20.20.20.252/37924 failed - port is not found in xlate(0-0)
nat: rewriting real inside:10.200.200.2/11048, hint 20.20.20.11/0, dest outside:20.20.20.252/0 (rdip 20.20.20.252)
nat: translation - inside:10.200.200.2/40878 failed - port is not found in xlate(21-21)
nat: policy lock 0xae286618, old count is 2
nat: translation - inside:10.200.200.2/11048 to outside:20.20.20.11/28417
flow: requesting real outside:20.20.20.252/0 -> real inside:10.200.200.2/11048
nat: rewriting real inside:10.200.200.2/11048, hint 20.20.20.11/0, dest outside:20.20.20.252/0 (rdip 20.20.20.252)
nat: translation - inside:10.200.200.2/11048 to outside:20.20.20.11/28417
flow: listen real inside:10.200.200.2/11048, mapped outside:20.20.20.11/28417)
flow: hole prot 6/0, 20.20.20.252/0 -> outside:20.20.20.11/28417
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048
nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048
nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: rewriting real outside:20.20.20.252/22139, hint 20.20.20.252/0, dest inside:20.20.20.11/28417 (rdip 10.200.200.2)
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: WARNING - no port in pool -1374108800, prot 6/0, outside:20.20.20.252/22139 to inside:20.20.20.252
nat: no xlate found; ecode -> 5
nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048
nat: untranslation - outside:20.20.20.11/28417 to inside:10.200.200.2/11048
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: rewriting real outside:20.20.20.252/22139, hint 20.20.20.252/0, dest inside:20.20.20.11/28417 (rdip 10.200.200.2)
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: WARNING - no port in pool -1374108800, prot 6/0, outside:20.20.20.252/22139 to inside:20.20.20.252
nat: no xlate found; ecode -> 5
nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: WARNING - no port in pool -1374108800, prot 6/0, outside:20.20.20.252/47689 to inside:20.20.20.252
nat: no xlate found; ecode -> 5
nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside
nat: no xlate found; ecode -> 0
nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside
nat: no xlate found; ecode -> 0
nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside
nat: no xlate found; ecode -> 0
nat: rewriting real outside:20.20.20.252/47689, hint 20.20.20.252/0, dest inside:20.20.20.11/0 (rdip 20.20.20.252)
nat: translation - outside:20.20.20.252/0 to inside:20.20.20.252/0
nat: ERROR - augment not requested for outside:20.20.20.252/47689 -> inside
nat: no xlate found; ecode -> 0
To make it work I need to modify the nat rule to sth like this (translate source of client to inside inteface of ASA)
nat (outside,inside) 1 source static any interface destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP
could someone explain why its not working in the first place? I JUST WANT TO KNOW
aaa I forgot to mention that both modes of FTP were tested (passive and active)
regards
03-02-2012 03:45 AM
ok I think I was wrong about the docs because it was regarding static nat and I used Twice
and for STATIC PAT it worked well !!! my mistake
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide