Solved: Re: Configure Destination NAT on ASA

HAT · ‎10-03-2025

Good Afternoon all ,

I am looking to configure my ASA in such a way that it allows some public IP ranges from the internet to access a private server residing within our internal network ( port 443 ). I would also like the the destination NAT mapping between the outside and the trusted network to use one of our publicly owned IP address instead of the ASA outside interface . Please see details below

External IP addresses : 1.1.1.0/24 , 1.1.2.0/24

ASA outside : 2.2.2.2

ASA Public IP address to be used for NAT : 3.3.3.3

Private sever : 192.168.1.1

I have applied the following configuration however after running the packet tracer input command for validation the traffic appears to be dropped by the implicit ACL

Objects

=====

object network NATIP
host 3.3.3.3

object-group network PUB_IPs

network-object 1.1.1.0 255.255.255.0
network-object 1.1.2.0 255.255.255.0

NAT

===

object network 192.168.1.1
nat (inside,outside) static NATIP service tcp 443 443

ACLs

====

access-list OUTSIDE extended permit tcp object-group PUB_IPs object NATIP eq 443
access-list INSIDE extended permit tcp object-group GITLAB_PUB_IPs host 192.168.1.1 eq 443

Any assistance will be very much appreciated .

Thank you in advance

Rob Ingram · ‎10-03-2025

@HAT the ACL needs to use the real IP address (192.168.1.1) of the server, not the NAT ip address.

View solution in original post

Rob Ingram · ‎10-07-2025

@HAT in the packet-tracer specify the destination IP address as the NAT ip address (not the real IP), as the connection would be to the NAT IP - this would subsequently be untranslated.

Have you actually tried making an actual connection from the internet?

View solution in original post

Rob Ingram · ‎10-03-2025

@HAT the ACL needs to use the real IP address (192.168.1.1) of the server, not the NAT ip address.

HAT · ‎10-03-2025

@Rob Ingram Thank you for the quick feedback . I will update the configuration and let you know

HAT · ‎10-07-2025

I have implemented the policy but it looks like it is now failing the rfp check . Does that mean that the return traffic is not using the same interface the original packets arrived on ? Please see below

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 7434 ns
Config:
nat (inside,outside) source dynamic SERVERS interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Time Taken: 38940 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame snp_sp_handle_flow_drop:4208 flow (NA)/NA

Rob Ingram · ‎10-07-2025

@HAT is it matching a different NAT rule - "nat (inside,outside) source dynamic SERVERS interface" - which is different to the NAT rule in your original post.

What was the syntax of the packet-tracer you run? Provide the full output please.

HAT · ‎10-07-2025

Do you suggest that the NAT rule I have configured nat (inside,outside) static NATIP service tcp 443 is being overshadowed by nat (inside,outside) source dynamic SERVERS interface.

ftd3105# packet-tracer input outside tcp 1.1.1.1 12345 192.168.1.1 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 8142 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 7788 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.1 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 7552 ns
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit tcp object-group PUB_IPs host 192.168.1.1 eq https
object-group network PUB_IPs
network-object 1.1.1.0 255.255.255.0
network-object 1.1.2.0 255.255.255.0
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 7552 ns
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 7552 ns
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Elapsed time: 8496 ns
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 18054 ns
Config:
nat (inside,outside) source dynamic SERVERS interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Time Taken: 65136 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame snp_sp_handle_flow_drop:4208 flow (NA)/NA

Rob Ingram · ‎10-07-2025

@HAT in the packet-tracer specify the destination IP address as the NAT ip address (not the real IP), as the connection would be to the NAT IP - this would subsequently be untranslated.

Have you actually tried making an actual connection from the internet?

HAT · ‎10-08-2025

@Rob Ingram The packet-tracer command is confirming that traffic is being allowed when using The NAT IP as destination . Will let test from the Internet and let you know .

Thank you for all the assistance