cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

397
Views
20
Helpful
7
Replies
Highlighted

Cisca ASA NAT

Hello @Richard Burts  @balaji.bandi  @Rob Ingram 

 

Internal IP address:  10.150.170.72 

External IP: x.x.x.x

I am trying to map  External IP to Internal IP over port 587.  Please advice which commands I need ?

 

I tried following commands:

object network obj_10.170.150.72
host 10.170.150.72
nat (inside,outside) static x.x.x.x service 587 587

 

It came with error message:

TMGHQ5516(config-network-object)# nat (inside,outside) static x.x.x.x ser$
ERROR: Address x.x.x.x overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

 

Thanks,

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hi,

Seems like you are natting to the outside interface, replace X.X.X.X with the value "interface". e.g

 

nat (INSIDE,OUTSIDE) static interface service tcp 587 587

View solution in original post

7 REPLIES 7
Highlighted
VIP Mentor

Hi,

Seems like you are natting to the outside interface, replace X.X.X.X with the value "interface". e.g

 

nat (INSIDE,OUTSIDE) static interface service tcp 587 587

View solution in original post

Highlighted

@Rob Ingram 

 

I added that and it does not came back with error message. 

 

When i run the packet tracer, it is still coming with error.

 

TMGHQ5516(config)# packet-tracer input outside tcp 8.8.8.8 587 10.170.150.72 5$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.170.150.72 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_10.170.150.72
nat (inside,outside) static interface service tcp 587 587
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005584a16ce44a flow (nat-rpf-failed)/snp_sp_action_cb:1140

 

 

Thanks,

Highlighted
VIP Mentor

The output seems to confirm an rpf-check failure.

Run a capture, e.g. capture CAP type asp-drop nat-rpf-failed test again and then provide the output of the capture.

Highlighted

@Rob Ingram 

 

TMGHQ5516(config)# show capture CAP
Target: OTHER
Hardware: ASA5516
Cisco Adaptive Security Appliance Software Version 9.13(1)
ASLR enabled, text region 55849fa29000-5584a4402d25

0 packet captured

0 packet shown
TMGHQ5516(config)#

Highlighted
VIP Mentor

Change the destination of the packet-tracert to the global ip address (natted) and try it again. Better still generate real traffic

Highlighted

@Rob Ingram 

 

I read this Article and I tested creating session 587 from Internet and it is working. All good now.

 

https://www.petenetlive.com/KB/Article/0000904

 

Thanks,

 

 

Highlighted
VIP Mentor

Correct, you run packet-tracer from outside to inside using the outside interface IP address (public) as the destination rather than the real IP address - that's what I meant by my last post by specifiying the global IP address (natted).

 

Glad it's working now.

Content for Community-Ad