Re: destination NAT problem

yeharold94@gmail.com · ‎07-02-2019

I am having a wired issue, I am trying to put my DMZ VM to outside do 1:1 NAT.

It can not hit the NAT rule. For internal, the server is working fine. I disable the firewall of VM already.

for the external, I put myself computer on the public IP address. and that IP is working fine without the FW.

Does anyone have any idea how to troubleshoot this problem?

nat (DMZ,outside) source static stoneraft-linux stoneraft-out

access-list 103 extended permit tcp any object stoneraft-linux

object network stoneraft-linux
 host 192.168.27.137

object network stoneraft-out
 host 8.8.8.8

Rob Ingram · ‎07-02-2019

Hi,

Static NAT example:-

object network stoneraft-linux
 host 192.168.27.137
 nat (dmz,outside) static 8.8.8.8

access-list 103 extended permit tcp any host 192.168.27.137

HTH

yeharold94@gmail.com · ‎07-02-2019

I got 0 hit on this NAT rule

Mike.Cifelli · ‎07-02-2019

If you are trying to do source only nat it should look something like this:
nat (DMZ,outside) source static <srcIP><mappedIP>
For future troubleshooting I would recommend running a packet-tracer from CLI that may better assist you with troubleshooting your issue.
packet-tracer input DMZ tcp 192.168.27.137 12345 8.8.8.8 80

yeharold94@gmail.com · ‎07-02-2019

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (TTN-DMZ,outside) source static stoneraft-linux stoneraft-out
Additional Information:
Static translate 192.168.27.137/22 to 8.8.8.8/22

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (TTN-DMZ,outside) source static stoneraft-linux stoneraft-out
Additional Information:

Phase: 7      
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: TTN-DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Mike.Cifelli · ‎07-02-2019

That output looks like your NAT rule worked:
Static translate 192.168.27.137/22 to 8.8.8.8/22

Not sure why you would translate to 8.8.8.8 though. What is the exact goal you are trying to accomplish?
#sh xlate -->shows NAT translations
#sh nat -->shows NAT counters

yeharold94@gmail.com · ‎07-03-2019

8.8.8.8 is an example, just in case, I don't want to send my public IP to everywhere.

ASA# sh xlate local 192.168.27.137
1104 in use, 5491 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.27.137 to outside:8.8.8.8
    flags sT idle 0:02:25 timeout 0:00:00
	

ASA# sh nat 192.168.27.137  detail 
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static stoneraft-linux stoneraft-out  
    translate_hits = 284, untranslate_hits = 5
    Source - Origin: 192.168.27.137/32, Translated: 8.8.8.8/32
	
ASA# sh nat 192.168.27.137  translated 8.8.8.8
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static stoneraft-linux stoneraft-out  
    translate_hits = 284, untranslate_hits = 5

Mike.Cifelli · ‎07-03-2019

Cool so you are working now! Enjoy!

yeharold94@gmail.com · ‎07-03-2019

still not works, same issue. do you have any idea?