Solved: Re: FMC/FTD NAT

benolyndav · ‎02-03-2021

Hi

Does anyone have any suggestions on why I am getting NAT failures on FTD I have configured a rule allowing WLC inside to outside on ports 16666/16667 and ETHIP(97)

the WLC is part of a NAT rule Natting all rfc1918 to an address.???

Thanks

Mohammed al Baqari · ‎02-08-2021

Hi, from FTD CLISH share the output of show nat interface (source_inter)
det. ALso, make sure that in NAT config you don't use no-proxy or route
options.

NAT should work as one-to-one for mobility. PAT won't work as you know.

***** please remember to rate useful posts

View solution in original post

Marius Gunnerud · ‎02-11-2021

since you are NATing your internal IP then your packet-tracer from the outside towards the inside should specify your NAT IP

> packet-tracer input outside udp 10.138.192.65 16666 10.157.228.45 16666 detailed

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-03-2021

What is your end-goal with NATing the WLC to 16666/16667/ETHIP(97) ?

Are you NATing the source or the destination IP?

Are you trying to access the WLC over these ports or is it a requirement that the WLC connects to an external host with those ports as destination?

--
Please remember to select a correct answer and rate helpful posts

benolyndav · ‎02-08-2021

Hi Marius

Im trying to bring a tunnel up between our WLC and a 3rd party WLC where an FTD sits in the middle, the NATing is there due to the WLC having a private address, so i have confiured the new member in the mobility group on the WLC but was getting xlate failed messages on FTD.??

Thanks

Mohammed al Baqari · ‎02-08-2021

Hi, from FTD CLISH share the output of show nat interface (source_inter)
det. ALso, make sure that in NAT config you don't use no-proxy or route
options.

NAT should work as one-to-one for mobility. PAT won't work as you know.

***** please remember to rate useful posts

benolyndav · ‎02-08-2021

Hi

I thought that was the issue i will try later, one more thing can I use the same IP address for my static nat rule that is also being used in a pat rule.??

Thanks

Mohammed al Baqari · ‎02-08-2021

ASA used to allow it with warning but FTD/FMC won't accept it.

**** please remember to rate useful posts

benolyndav · ‎02-10-2021

Hi

Ive got a bit further with this but getting an rpf drop can anyone advise why and where to troubleshoot this.??

Phase: 14

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside,outside) source static WLC-TEST NAT-WLC-to-NHSP-WLC destination static NHSP-WLC NHSP-WLC

Additional Information:

Forward Flow based lookup yields rule:

out id=0xfe8c571a30, priority=6, domain=nat-reverse, deny=false

hits=19, user_data=0xffa9818ba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=x.x.x.x, mask=255.255.255.255, port=0, tag=any

dst ip/id=x.x.x.x, mask=255.255.255.255, port=0, tag=any, dscp=0x0

input_ifc=-outside, output_ifc=inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab9cad0ec flow (nat-rpf-failed)/snp_sp_action_cb:1140

Marius Gunnerud · ‎02-10-2021

Often this message in packet-tracer is because the wrong use of source destination IPs in packet-tracer or wrong input interface. Could you post the packet-tracer command you used as well as the objects used in the NAT statement...If there are public IPs please x out the first 3 octets.

--
Please remember to select a correct answer and rate helpful posts

benolyndav · ‎02-10-2021

Hi

> packet-tracer input outside udp 10.138.192.65 16666 192.168.2.200 16666 detailed

nat (inside,outside) source static WLC-TEST NAT-WLC-to-NHSP-WLC destination static NHSP-WLC NHSP-WLC

3rd party NAT address 10.138.192.65

our internal WLC address 192.168.2.200

The NAT address is 10.157.228.45

Marius Gunnerud · ‎02-11-2021

since you are NATing your internal IP then your packet-tracer from the outside towards the inside should specify your NAT IP

> packet-tracer input outside udp 10.138.192.65 16666 10.157.228.45 16666 detailed

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎02-08-2021

I would assume that this is bi-directional traffic, meaning the 3rd party WLC will also be initiating traffic towards your WLC. If this is the case then I agree with Mohammed that you need a static 1to1 NAT for this connection. If you still get the error after the change, then please post the exact error message you are getting along with a full running config (remember to remove any public IPs, usernames and passwords), and show nat output.

--
Please remember to select a correct answer and rate helpful posts

benolyndav · ‎02-08-2021

Hi Marius

I thought that was the issue i will try later, one more thing can I use the same IP address for my static nat rule that is also being used in a pat rule.??

Thanks

benolyndav · ‎02-10-2021

Hi

Ive got a bit further with this but getting an rpf drop can anyone advise why and where to troubleshoot this.??

Phase: 14

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside,outside) source static WLC-TEST NAT-WLC-to-NHSP-WLC destination static NHSP-WLC NHSP-WLC

Additional Information:

Forward Flow based lookup yields rule:

out id=0xfe8c571a30, priority=6, domain=nat-reverse, deny=false

hits=19, user_data=0xffa9818ba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=x.x.x.x, mask=255.255.255.255, port=0, tag=any

dst ip/id=x.x.x.x, mask=255.255.255.255, port=0, tag=any, dscp=0x0

input_ifc=-outside, output_ifc=inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab9cad0ec flow (nat-rpf-failed)/snp_sp_action_cb:1140