Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
633
Views
0
Helpful
3
Replies

External NAT getting blocked

davidblumberg
Level 1
Level 1

‎03-12-2017 07:12 AM - edited ‎03-12-2019 02:03 AM

We have a user trying to access a local machine from the Internet and they are getting blocked by our ASA firewall.  We can access the internal machine from inside the network.  Our nat statements are getting blocked as follows:

Commands

object network obj_192.168.1.20
   host 192.168.1.20
   nat (inside,outside) static 174.78.221.138 service tcp 4570 4570

access-list outside_access_in extended permit tcp any host 192.168.1.20 eq https
access-list outside_access_in extended permit tcp any host 192.168.1.20 eq www
access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 4570

Trace

befw# packet-tracer input outside tcp 8.8.8.8 1234 192.168.1.20 4570

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 4570
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_192.168.1.20
nat (inside,outside) static 174.78.8.xxx service tcp 4570 4570
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎03-12-2017 07:58 AM

Hi 

Could you do again your packet-tracer but using your public ip instead of 192.168 IP? 

Could you paste the output you have? 

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

davidblumberg
Level 1
Level 1
In response to Francesco Molino

‎03-12-2017 10:44 AM

So it looks like it is hitting a NAT before that takes precedence, any suggestions?

fw# packet-tracer input outside tcp 8.8.8.8 1234 174.78.8.xxx 4558

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 1.25
nat (inside,outside) static 1.25-ext
Additional Information:
NAT divert to egress interface inside
Untranslate 174.78.221.138/4558 to 192.168.1.25/4558

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to davidblumberg

‎03-12-2017 09:00 PM

Hi 

The internal ip shown on the output is ending by 25 while your acl on your first post shows ip ending by 20. 

Could you please attach your config (remove all confidential stuff) 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card