11-10-2015 06:32 AM - edited 03-11-2019 11:51 PM
Hi All,
I am facing a problem in NAT. We have done below NAT.
nat (IPLC-IN,OfficeNet-OUT) source static obj-10.1.146.67 obj-59.160.46.182
object network obj-59.160.46.182
host 59.160.46.182
object network obj-10.1.146.67
host 10.1.146.67
but it is not working. Routing part is okay. Below is packet-tracer command output for same.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.146.0 255.255.255.0 IPLC-IN
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OfficeNet-OUT
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OfficeNet_Jan2015 in interface OfficeNet-OUT
access-list OfficeNet_Jan2015 extended permit tcp host 139.7.35.19 host 10.1.146.67 range 51500 51501
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (IPLC-IN,OfficeNet-OUT) source static obj-10.1.146.67 obj-59.160.46.182
Additional Information:
Result:
input-interface: OfficeNet-OUT
input-status: up
input-line-status: up
output-interface: IPLC-IN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
pri/DAMUF6-FW5550/IPLC-FW/act#
Output of sh run nat:
pri/DAMUF6-FW5550/IPLC-FW/act# sh run nat
nat (IPLC-IN,OfficeNet-OUT) source static obj-10.1.146.67 obj-59.160.46.182
nat (IPLC-IN,OfficeNet-OUT) source static obj-10.1.16.80 obj-59.160.46.181
nat (IPLC-IN,OfficeNet-OUT) source static obj-10.1.146.196 obj-59.160.46.183
nat (IPLC-IN,OfficeNet-OUT) source static obj-10.2.2.95 obj-59.160.46.186
Please help me out to solve this.
11-10-2015 06:49 AM
From the outputs attached I understand that you are trying to test traffic from outside to inside to test the static NAT configuration. (Correct if my understanding is wrong).
Can you share the packet tracer command that you are using.
What is the ASA OS version on your firewall?
For testing purpose you can try to create a manual NAT for the specific traffic and place it on top so that you can verify if there is some other rule which is conflicting with this NAT.
Thanks,
RS
12-04-2015 06:16 AM
Just wanted to mention that I think rpf-check is happening to make sure your outgoing and incoming traffic are both using the same interface.
That is something to check.
Thank you,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide