cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1471
Views
0
Helpful
15
Replies

Cisco ASA Static NAT

Kenneth Goh
Level 1
Level 1

Please help (refer to attached diagram) as I need client 10.2.6.42 to telnet to 172.16.44.100 and the traffic will be NATed (which telnet into R2) to 172.26.32.5 (lookback interface).

 

It is not working, not sure did I miss out any thing? Thanks in advanced

 

interface GigabitEthernet0
 nameif inside
 security-level 0
 ip address 10.2.6.22 255.255.255.248
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 172.16.44.254 255.255.255.0

 

same-security-traffic permit inter-interface

 

object network Telnet_172.26.32.5
 host 172.26.32.5

object network Telnet_172.26.32.5
 nat (inside,outside) static 172.16.44.100 service tcp telnet telnet
access-list outside_To_inside extended permit tcp any host 172.26.32.5 eq telnet
access-group outside_To_inside in interface outside

15 Replies 15

Hi @Kenneth Goh

Does firewall is able to ping 172.26.32.5?

Does R2 have route to 172.16.44.0 ?

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Does firewall is able to ping 172.26.32.5?

yes

Does R2 have route to 172.16.44.0 ?

R2 has a default route to the firewall.

Try to run a packet tracer from ASA.

packet-tracer input [src_int] protocol src_addr src_port dest_addr  dest_port [detailed] 

 

packet-tracer input outside  tcp 10.2.6.42 1024 172.16.44.100 23 detailed

 

 

-If I helped you somehow, please, rate it as useful.-

Unable to establish telnet session on R2

client#telnet 172.16.44.100
Trying 172.16.44.100 ...
% Connection timed out; remote host not responding

--------------------------------------------------------------------------

ciscoasa# packet-tracer input outside tcp 10.2.6.42 1024 172.16.44.100 23 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc2d21e8, priority=1, domain=permit, deny=false
        hits=14, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Telnet_172.26.32.5
 nat (inside,outside) static 172.16.44.100 service tcp telnet telnet
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.44.100/23 to 172.26.32.5/23

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_To_inside in interface outside
access-list outside_To_inside extended permit tcp any host 172.26.32.5 eq telnet
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbb980028, priority=13, domain=permit, deny=false
        hits=1, user_data=0xb9466b40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.26.32.5, mask=255.255.255.255, port=23, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc2d60e0, priority=0, domain=inspect-ip-options, deny=true
        hits=12, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Telnet_172.26.32.5
 nat (inside,outside) static 172.16.44.100 service tcp telnet telnet
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xbc2dd058, priority=6, domain=nat-reverse, deny=false
        hits=2, user_data=0xbcabb3e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.26.32.5, mask=255.255.255.255, port=23, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xbc2a9578, priority=0, domain=inspect-ip-options, deny=true
        hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Perfect. Now, try do enable debug on R2 and test again.

terminal monitor

debug telnet

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

There is no output.

 

R2#debug telnet
Incoming Telnet debugging is on

Show conn

Show xlate

Show nat

On ASA?

On ASA

ciscoasa# show conn
0 in use, 1 most used
ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:172.26.32.5 23-23 to outside:172.16.44.100 23-23
    flags sr idle 0:04:58 timeout 0:00:00
ciscoasa# show nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Telnet_172.26.32.5 172.16.44.100   service tcp telnet telnet
    translate_hits = 0, untranslate_hits = 0

The problem may be this:

 

nat (inside,outside) static 172.16.44.100 service tcp telnet telnet

 

Looks like the NAT will match the rule if the connection start from port 23 to port 23.

 

 PAT from inside:172.26.32.5 23-23 to outside:172.16.44.100 23-23

However, the source port must be any so that the source port can be any port above 1024, (random ports).

Try to change this and try again.

 

-If I helped you somehow, please, rate it as useful.-

Tried changing the NAT below and also don't work, I am not sure how can I change the source port? Please help.

nat (inside,outside) static 172.16.44.100

 

 

 

Let me correct something I said. Your NAT config was not wrong sorry. For this version of firewall, you let as is.

 

nat (outside,inside) source static <real-ip> <mapped-ip> destination static interface <real-ip> service <real-service> <mapped-service>

NAT must be ok as per the packet traced. But, for some reason the packet is not getting in to the r2.

Can you send me the GNS3 file?

Some problems with GNS3, but I have attached the config files.

sorry can't seems to be able to attach the zip file here.

 

You need to rename file and change the extension to .txt.

 

Review Cisco Networking for a $25 gift card