Cannot Get Static NAT Working

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2015 12:49 PM - edited 03-11-2019 11:10 PM
I'm prepping to put a 5545-X in to replace a 5505. The 5505 was running pre-8.3, and our new one is running 9.1. I have been trying to do the most basic thing I thought possible (statically NAT'ing an internal server) and have had zero success. Can someone take a look at my config and offer up some opinions on what I'm doing wrong? I've tried via CLI and ASDM and gotten nowhere fast. I have set up a test subnet and server that I've been trying to work with since I don't want to effect current production traffic. The internal server IP is 172.16.10.5, and the public IP I will use here is 2.3.4.5.
I created a bunch of objects to use in the configs. Here are the relevant ones to my testing:
object network vpn_clients range 172.16.10.10 172.16.10.255 object service http service tcp destination eq www object network public-test-ip host 2.3.4.5 object network test subnet 172.16.10.0 255.255.255.0 object network test-server host 172.16.10.5 description test for outside access
I created the post-8.2 equivalent of nonat for vpn clients going to an object-group I called internal_subnet, which is made up of all the internal subnets including the test network.
nat (inside,outside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup nat (outside,inside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup !
Dynamic PAT for internal users to access the internet via the outside interface's IP, and a static NAT for the test web server
object network cage1 nat (inside,outside) dynamic interface object network cage2 nat (inside,outside) dynamic interface object network test nat (test,outside) dynamic interface object network test-server nat (test,outside) static public-test-ip
I cannot access the web server from outside. I ran packet-tracer:
packet-tracer input outside tcp 216.58.219.228 http 2.3.4.5 http detailed Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network test-server nat (test,outside) static public-test-ip Additional Information: NAT divert to egress interface test Untranslate 2.3.4.5/80 to 172.16.10.5/80 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit tcp any object test-server eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7ffed04e1fc0, priority=13, domain=permit, deny=false hits=31, user_data=0x7ffec763a680, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=172.16.10.5, mask=255.255.255.255, port=80, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ffece8da2b0, priority=0, domain=nat-per-session, deny=false hits=353197, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ffecf682e80, priority=0, domain=inspect-ip-options, deny=true hits=304458, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ffecffd6450, priority=13, domain=ipsec-tunnel-flow, deny=true hits=100011, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network test-server nat (test,outside) static public-test-ip Additional Information: Forward Flow based lookup yields rule: out id=0x7ffecf755ba0, priority=6, domain=nat-reverse, deny=false hits=32, user_data=0x7ffed01db480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=172.16.10.5, mask=255.255.255.255, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=test Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7ffece8da2b0, priority=0, domain=nat-per-session, deny=false hits=353199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7ffed03854d0, priority=0, domain=inspect-ip-options, deny=true hits=2495, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=test, output_ifc=any Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 153896, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: outside input-status: up input-line-status: up output-interface: test output-status: up output-line-status: up Action: allow
To me that looks like I should be able to hit my web server. I did a reverse trace from the local address of 172.16.10.5 to a public IP (I used one of Google's) and verified that traffic out should work as well from this host. I don't see what I'm missing. I'd appreciate your input.
Thank you.
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2015 01:01 PM
I'm pasting my entire config in case the snippets above aren't enough info/are too disjointed.
ASA Version 9.2(2)4 ! hostname internap-5545 domain-name company.com enable password ******* encrypted passwd ******* encrypted names ip local pool Remote_Users 172.16.10.10-172.16.10.254 mask 255.255.255.0 ! iinterface GigabitEthernet0/4 nameif test security-level 100 ip address 172.16.10.1 255.255.255.0 ! interface Management0/0 management-only nameif management security-level 100 ip address 172.16.2.2 255.255.255.0 ! interface Redundant1 member-interface GigabitEthernet0/0 member-interface GigabitEthernet0/2 nameif outside security-level 0 ip address 2.3.4.4 255.255.255.192 ! interface Redundant2 member-interface GigabitEthernet0/1 member-interface GigabitEthernet0/3 shutdown nameif inside security-level 100 ip address 10.50.10.2 255.255.0.0 ! dns domain-lookup outside dns domain-lookup test dns server-group DefaultDNS name-server 10.51.20.254 name-server 192.168.1.18 domain-name company.com same-security-traffic permit intra-interface object network staging-server host 10.50.151.24 object network netboot host 10.50.159.10 object network office subnet 192.168.1.0 255.255.255.0 object network cage1 subnet 10.50.0.0 255.255.0.0 object network cage2 subnet 10.51.0.0 255.255.0.0 object network ipmi-1 subnet 172.16.1.0 255.255.255.0 object network ipmi-2 subnet 172.16.2.0 255.255.255.0 object network vpn_clients range 172.16.10.10 172.16.10.255 object service http service tcp destination eq www object network public-test-ip host 2.3.4.5 object network test subnet 172.16.10.0 255.255.255.0 object network test-server host 172.16.10.5 description test for outside access object-group network internal_subnet network-object object office network-object object cage1 network-object object ipmi-1 network-object object ipmi-2 network-object object test network-object object cage2 access-list l2l-crypt extended permit ip object-group internal_subnet object office access-list outside_access_in extended permit tcp any object test-server eq www access-list split_tunnel standard permit 10.50.0.0 255.255.0.0 access-list split_tunnel standard permit 10.51.0.0 255.255.0.0 access-list split_tunnel standard permit 172.16.1.0 255.255.255.0 access-list split_tunnel standard permit 172.16.2.0 255.255.255.0 access-list split_tunnel standard permit 192.168.0.0 255.255.0.0 access-list split_tunnel standard permit 172.16.10.0 255.255.255. nat (inside,outside) source static internal_subnet internal_subnet destination static office office no-proxy-arp route-lookup nat (inside,outside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup nat (outside,inside) source static vpn_clients vpn_clients destination static internal_subnet internal_subnet no-proxy-arp route-lookup ! object network cage1 nat (inside,outside) dynamic interface object network cage2 nat (inside,outside) dynamic interface object network test nat (test,outside) dynamic interface object network test-server nat (test,outside) static public-test-ip access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 2.3.4.12 1 route test 10.51.0.0 255.255.0.0 172.16.10.2 1 route management 172.16.1.0 255.255.255.0 172.16.2.1 1

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2015 08:25 AM
Everything looks OK at first glance. Are you sure that there is no firewall setup on your test server that would be blocking inbound port 80?
