03-04-2020 05:10 AM - edited 03-04-2020 06:43 AM
Hi people,
I hope somebody can help me. I don't know what to do =(
Cisco ASA5506-X (9.9(2)36)
I have 3 outside interfaces: two for internet (security level 0) and third one (name 'bft', security level 10, but I tried set 0 as well) connected to corporate network (10.0.0.0/8). + inside interface (192.168.111.0/24, sec.level 100)
When I create PAT to my 'BFT' interface I can't access it from other side of corporate network;
nat (inside,bft) 46 source static 192.168.111.250 interface destination static bft-network bft-network service tcp3389 tcp65123
, where bft-network = 10.0.0.0/8
TCP request discarded from 10.1.36.126/59802 to bft:10.1.11.30/65123
I applied allow any IP traffic on all my interfaces, but without luck.
If I ping 10.1.11.30 or access ASDM/SSH ports - no problems.
packet-tracer input bft tcp 10.1.36.126 59802 10.1.11.30 65123 detailed:
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.1.11.30 using egress ifc identity Phase: 2 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac19858c0, priority=0, domain=nat-per-session, deny=false hits=11579208, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac2c6a640, priority=0, domain=permit, deny=true hits=130, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=bft, output_ifc=any Result: input-interface: bft input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
packet-tracer input bft icmp 10.1.36.126 8 0 10.1.11.30
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.1.11.30 using egress ifc identity Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: CLUSTER-REDIRECT Subtype: cluster-redirect Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 8 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 10969831, packet dispatched to next module Phase: 10 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 0.0.0.0 using egress ifc identity Phase: 11 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address 0000.0000.0000 hits 3167600 reference 119 Result: input-interface: bft input-status: up input-line-status: up output-interface: NP Identity Ifc Action: allow
If I make PAT not into BFT interface, but into additional IP address on the interface - PAT works!
I have no problem with PAT to others uplink interfaces.
Tried the same scenario on my second ASA 5506-X version 9.8.2.20 without luck.
Could somebody help please??
Solved! Go to Solution.
03-07-2020 01:13 AM
let me lab this up and i shall get back to you.