09-03-2020 10:27 AM - edited 09-03-2020 10:36 AM
Hello @Richard Burts @balaji.bandi @Rob Ingram
Internal IP address: 10.150.170.72
External IP: x.x.x.x
I am trying to map External IP to Internal IP over port 587. Please advice which commands I need ?
I tried following commands:
object network obj_10.170.150.72
host 10.170.150.72
nat (inside,outside) static x.x.x.x service 587 587
It came with error message:
TMGHQ5516(config-network-object)# nat (inside,outside) static x.x.x.x ser$
ERROR: Address x.x.x.x overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
Thanks,
Solved! Go to Solution.
09-03-2020 10:39 AM
Hi,
Seems like you are natting to the outside interface, replace X.X.X.X with the value "interface". e.g
nat (INSIDE,OUTSIDE) static interface service tcp 587 587
09-03-2020 10:39 AM
Hi,
Seems like you are natting to the outside interface, replace X.X.X.X with the value "interface". e.g
nat (INSIDE,OUTSIDE) static interface service tcp 587 587
09-03-2020 10:46 AM
I added that and it does not came back with error message.
When i run the packet tracer, it is still coming with error.
TMGHQ5516(config)# packet-tracer input outside tcp 8.8.8.8 587 10.170.150.72 5$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.170.150.72 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_10.170.150.72
nat (inside,outside) static interface service tcp 587 587
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005584a16ce44a flow (nat-rpf-failed)/snp_sp_action_cb:1140
Thanks,
09-03-2020 10:55 AM
The output seems to confirm an rpf-check failure.
Run a capture, e.g. capture CAP type asp-drop nat-rpf-failed test again and then provide the output of the capture.
09-03-2020 11:05 AM
TMGHQ5516(config)# show capture CAP
Target: OTHER
Hardware: ASA5516
Cisco Adaptive Security Appliance Software Version 9.13(1)
ASLR enabled, text region 55849fa29000-5584a4402d25
0 packet captured
0 packet shown
TMGHQ5516(config)#
09-03-2020 11:28 AM
Change the destination of the packet-tracert to the global ip address (natted) and try it again. Better still generate real traffic
09-03-2020 11:31 AM
I read this Article and I tested creating session 587 from Internet and it is working. All good now.
https://www.petenetlive.com/KB/Article/0000904
Thanks,
09-03-2020 11:37 AM
Correct, you run packet-tracer from outside to inside using the outside interface IP address (public) as the destination rather than the real IP address - that's what I meant by my last post by specifiying the global IP address (natted).
Glad it's working now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: