Solved: Cannot configuring NAT using outside interface ip to Two different dmz servers

Rowlands Price · ‎06-07-2017

Hi Support,

I have a litte issue

I have a Cisco ASA 5525-x using version 8.6 (1)

My issue is that i cannot configure nat to allow users from Internet to access servers located on dmz1 and dmz4

The nat should use the outside ip interface.

outside ip: 172.16.1.1 (for testing)

dmz1; server ip: 192.168.46.15, ports must be used: https and 8080

Dmz4: server ip 192.168.35.2, port must be used: tcp 7909, 7910 and 7911

All servers from dmz must access internet.

Can you please help me regarding nat configuration?

Attached is my diagram

Francesco Molino · ‎06-07-2017

Hi

Here is an example to do the nat statement for dmz1. As nat ports are not contiguous, you'll need to create 2 objects and apply the nat statement. Also the acl needed on your outside interface.

As per example I've done 2 different ace, 1 per port. You can also create a port object and then have only 1 ace referring to that port object for this specific host.

object network dmz1-8080

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 8080 8080
!

object network dmz1-https

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 443 443

!

access-list outside_access_in extended permit tcp any object dmz1-https eq https

!

access-list outside_access_in extended permit tcp any object dmz1-8080 eq 8080

For dmz4, as ports are contiguous we can do in another way:

object network dmz4-srv
 host 192.168.35.2
!
object service Obj-Ports
 service tcp destination range 7909 7911
!

nat (outside,inside) source static any any destination static interface dmz4-srv service Obj-Ports Obj-Ports
!
access-list outside_access_in extended permit tcp any object dmz4-srv range 7909 7911

I don't have your config but nat order is important to not overlap things.

Sorry for my paging, I'm using my mobile phone to answer your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-08-2017

Hi

172.16.1.1 is the IP assigned to your outside interface that's why you get this error message.

Then you need to change that statement by:

nat (dmz1,outside) static interface service tcp 443 443

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-07-2017

Hi

Here is an example to do the nat statement for dmz1. As nat ports are not contiguous, you'll need to create 2 objects and apply the nat statement. Also the acl needed on your outside interface.

As per example I've done 2 different ace, 1 per port. You can also create a port object and then have only 1 ace referring to that port object for this specific host.

object network dmz1-8080

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 8080 8080
!

object network dmz1-https

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 443 443

!

access-list outside_access_in extended permit tcp any object dmz1-https eq https

!

access-list outside_access_in extended permit tcp any object dmz1-8080 eq 8080

For dmz4, as ports are contiguous we can do in another way:

object network dmz4-srv
 host 192.168.35.2
!
object service Obj-Ports
 service tcp destination range 7909 7911
!

nat (outside,inside) source static any any destination static interface dmz4-srv service Obj-Ports Obj-Ports
!
access-list outside_access_in extended permit tcp any object dmz4-srv range 7909 7911

I don't have your config but nat order is important to not overlap things.

Sorry for my paging, I'm using my mobile phone to answer your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-07-2017

Hi Francesco

I have an error message when write these commands

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 8080 8080

Here is the error message

ciscoasa(config-network-object)# nat (dmz1-,outside) static 172.16.1.1 serv$
ERROR: Address 172.16.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Francesco Molino · ‎06-08-2017

Hi

172.16.1.1 is the IP assigned to your outside interface that's why you get this error message.

Then you need to change that statement by:

nat (dmz1,outside) static interface service tcp 443 443

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Hi Francesco,

Still not working, but the error message disapeared

Attached is my actual config, it's on a test firewall runing version 8.3

regards

Francesco Molino · ‎06-08-2017

Your config isn't attached.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Hi,

Just reloaded the asa and it's now working well.

but when i applied theses commands, it's not working

nat (dmz-egov,outside) source dynamic dmz-egov_network interface

this nat is for allowing dmz-egov_network to go internet right

Thanks for support

Francesco Molino · ‎06-08-2017

I don't see this nat on your config.

Can you apply it and do a packet-tracer?

packet-tracer input dmz-egov icmp 192.168.46.20 8 0 8.8.8.8

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Hi

Here is the nat applied

nat (dmz-egov,outside) source dynamic dmz-egov_network interface

Here is the packet tracert

ciscoasa(config)# packet-tracer input dmz-egov icmp 192.168.46.15 8 0 8.8.8.8

Result:
input-interface: dmz-egov
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

ciscoasa(config)#

Francesco Molino · ‎06-08-2017

This message appears if interfaces is down and/or if your default route is not existing.

Like before, try to save and reboot your asa

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Sorry, the cable was unplugged

here is the result

ciscoasa(config)# packet-tracer input dmz-egov icmp 192.168.46.15 8 0 8.8.8.8

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz-egov_access_in in interface dmz-egov
access-list dmz-egov_access_in extended permit ip object dmz-egov_network any log disable
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz-egov,outside) source dynamic dmz-egov_network interface
Additional Information:
Dynamic translate 192.168.46.15/0 to 217.77.77.210/28229

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 751, packet dispatched to next module

Result:
input-interface: dmz-egov
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)#

Francesco Molino · ‎06-08-2017

Then it works.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Strange

with nat, i cannot reach my ftp behind 217.77.77.210

Actually i have a pc connecte to outside interface with ip 217.77.77.211

to test application, i tried ftp to 217.77.77.210 and the host behind reply

Without nat (dmz-egov,outside) i can reach ftp and with nat (dmz-egov,outside) it's not working

Regards

Francesco Molino · ‎06-08-2017

I'm sorry I don't get what you said.

Can you do the packet tracer matching this traffic and paste the output?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

sorry,

with this nat (dmz-egov,outside) source dynamic dmz-egov_network interface

here is the packet tracert from outside to access my ftp server, and it's not working

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 ftp 217.77.77.210 ftp

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 217.77.77.210 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#