Solved: Cisca ASA NAT

LovejitSingh1313 · ‎09-03-2020

Hello @Richard Burts @balaji.bandi @Rob Ingram

Internal IP address: 10.150.170.72

External IP: x.x.x.x

I am trying to map External IP to Internal IP over port 587. Please advice which commands I need ?

I tried following commands:

object network obj_10.170.150.72
host 10.170.150.72
nat (inside,outside) static x.x.x.x service 587 587

It came with error message:

TMGHQ5516(config-network-object)# nat (inside,outside) static x.x.x.x ser$
ERROR: Address x.x.x.x overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Thanks,

Rob Ingram · ‎09-03-2020

Hi,

Seems like you are natting to the outside interface, replace X.X.X.X with the value "interface". e.g

nat (INSIDE,OUTSIDE) static interface service tcp 587 587

View solution in original post

Rob Ingram · ‎09-03-2020

Hi,

Seems like you are natting to the outside interface, replace X.X.X.X with the value "interface". e.g

nat (INSIDE,OUTSIDE) static interface service tcp 587 587

LovejitSingh1313 · ‎09-03-2020

@Rob Ingram

I added that and it does not came back with error message.

When i run the packet tracer, it is still coming with error.

TMGHQ5516(config)# packet-tracer input outside tcp 8.8.8.8 587 10.170.150.72 5$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.170.150.72 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_10.170.150.72
nat (inside,outside) static interface service tcp 587 587
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005584a16ce44a flow (nat-rpf-failed)/snp_sp_action_cb:1140

Thanks,

Rob Ingram · ‎09-03-2020

The output seems to confirm an rpf-check failure.

Run a capture, e.g. capture CAP type asp-drop nat-rpf-failed test again and then provide the output of the capture.

LovejitSingh1313 · ‎09-03-2020

@Rob Ingram

TMGHQ5516(config)# show capture CAP
Target: OTHER
Hardware: ASA5516
Cisco Adaptive Security Appliance Software Version 9.13(1)
ASLR enabled, text region 55849fa29000-5584a4402d25

0 packet captured

0 packet shown
TMGHQ5516(config)#

Rob Ingram · ‎09-03-2020

Change the destination of the packet-tracert to the global ip address (natted) and try it again. Better still generate real traffic

LovejitSingh1313 · ‎09-03-2020

@Rob Ingram

I read this Article and I tested creating session 587 from Internet and it is working. All good now.

https://www.petenetlive.com/KB/Article/0000904

Thanks,

Rob Ingram · ‎09-03-2020

Correct, you run packet-tracer from outside to inside using the outside interface IP address (public) as the destination rather than the real IP address - that's what I meant by my last post by specifiying the global IP address (natted).

Glad it's working now.