cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2003
Views
0
Helpful
8
Replies

destination NAT problem

I am having a wired issue, I am trying to put my DMZ VM to outside do 1:1 NAT. 

It can not hit the NAT  rule. For internal, the server is working fine. I disable the firewall of VM already.

for the external, I put myself computer on the public IP address. and that IP is working fine without the FW.

Does anyone have any idea how to troubleshoot this problem?

nat (DMZ,outside) source static stoneraft-linux stoneraft-out

access-list 103 extended permit tcp any object stoneraft-linux

object network stoneraft-linux
 host 192.168.27.137

object network stoneraft-out
 host 8.8.8.8
8 Replies 8

Hi,

Static NAT example:-

 

 

object network stoneraft-linux
host 192.168.27.137
nat (dmz,outside) static 8.8.8.8

access-list 103 extended permit tcp any host 192.168.27.137

 

HTH

 

I got 0 hit on this NAT rule

Mike.Cifelli
VIP Alumni
VIP Alumni
If you are trying to do source only nat it should look something like this:
nat (DMZ,outside) source static <srcIP><mappedIP>
For future troubleshooting I would recommend running a packet-tracer from CLI that may better assist you with troubleshooting your issue.
packet-tracer input DMZ tcp 192.168.27.137 12345 8.8.8.8 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (TTN-DMZ,outside) source static stoneraft-linux stoneraft-out
Additional Information:
Static translate 192.168.27.137/22 to 8.8.8.8/22

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (TTN-DMZ,outside) source static stoneraft-linux stoneraft-out
Additional Information:

Phase: 7      
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: TTN-DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

That output looks like your NAT rule worked:
Static translate 192.168.27.137/22 to 8.8.8.8/22

Not sure why you would translate to 8.8.8.8 though. What is the exact goal you are trying to accomplish?
#sh xlate -->shows NAT translations
#sh nat -->shows NAT counters

8.8.8.8 is an example, just in case, I don't want to send my public IP to everywhere.

ASA# sh xlate local 192.168.27.137
1104 in use, 5491 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.27.137 to outside:8.8.8.8
    flags sT idle 0:02:25 timeout 0:00:00
	

ASA# sh nat 192.168.27.137  detail 
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static stoneraft-linux stoneraft-out  
    translate_hits = 284, untranslate_hits = 5
    Source - Origin: 192.168.27.137/32, Translated: 8.8.8.8/32
	
ASA# sh nat 192.168.27.137  translated 8.8.8.8
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static stoneraft-linux stoneraft-out  
    translate_hits = 284, untranslate_hits = 5

Cool so you are working now! Enjoy!

still not works, same issue. do you have any idea?

Review Cisco Networking for a $25 gift card