cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22689
Views
5
Helpful
24
Replies

Cisco ASA 5506-X PAT to interface problem

wh1test
Level 1
Level 1

Hi people,

I hope somebody can help me. I don't know what to do =(

Cisco ASA5506-X (9.9(2)36)

I have 3 outside interfaces: two for internet (security level 0) and third one (name 'bft', security level 10, but I tried set 0 as well) connected to corporate network (10.0.0.0/8). + inside interface (192.168.111.0/24, sec.level 100)

When I create PAT to my 'BFT' interface I can't access it from other side of corporate network;

nat (inside,bft) 46 source static 192.168.111.250 interface destination static bft-network bft-network service tcp3389 tcp65123

, where bft-network = 10.0.0.0/8

 

TCP request discarded from 10.1.36.126/59802 to bft:10.1.11.30/65123

I applied allow any IP traffic on all my interfaces, but without luck. 

If I ping 10.1.11.30 or access ASDM/SSH ports - no problems.

 

packet-tracer input bft tcp 10.1.36.126 59802 10.1.11.30 65123 detailed:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.11.30 using egress ifc  identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaac19858c0, priority=0, domain=nat-per-session, deny=false
        hits=11579208, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaac2c6a640, priority=0, domain=permit, deny=true
        hits=130, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=bft, output_ifc=any

Result:
input-interface: bft
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

packet-tracer input bft icmp 10.1.36.126 8 0 10.1.11.30

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.11.30 using egress ifc  identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10969831, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc  identity

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0000.0000.0000 hits 3167600 reference 119

Result:
input-interface: bft
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

If I make PAT not into BFT interface, but into additional IP address on the interface - PAT works!

 

I have no problem with PAT to others uplink interfaces.

Tried the same scenario on my second ASA 5506-X version 9.8.2.20 without luck.

 

Could somebody help please??

 

24 Replies 24

let me lab this up and i shall get back to you.

please do not forget to rate.