06-17-2020 05:21 PM
I have the below topology.
What I'm trying to do is forward traffic coming from 192.168.1.73 destined for 192.168.1.222 port 53 to 10.1.5.1. Ideally, I'd like the firewall to keep the source IP intact on the request. When 192.168.1.73 sends a request to 192.168.1.222 and the firewall forwards that request to 10.1.5.1, the source IP of 192.168.1.73 shouldn't change. For the response, I'd like the source IP to be replaced with the firewall's IP. When 10.1.5.1 responds to 192.168.1.73, the firewall should replace the source IP with its own (192.168.1.222).
I've tried a variety of nat statements to get this to work, but none have. There's an inbound ACL applied to the outside interface (from-outside). However, I never see a hit count on line 1. When I do a debug on the firewall and attempt a request, I see the below.
%ASA-7-710005: UDP request discarded from 192.168.1.73/51572 to outside:192.168.1.222/53
I've never really used the packet-tracer feature, but it's indicating that the traffic isn't allowed.
fw1# packet-tracer input outside udp 192.168.1.73 51572 192.168.1.222 53 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.1.222 255.255.255.255 identity Phase: 2 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Below is the configuration of the firewall, including the model and version.
fw1# sh run : Saved : : Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz : ASA Version 9.1(7)32 ! hostname fw1 xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 192.168.1.222 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/1.5 vlan 5 nameif inside security-level 0 ip address 10.1.5.254 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive dns domain-lookup outside dns server-group DefaultDNS domain-name home.local same-security-traffic permit inter-interface object service dns-traffic service udp destination eq domain object-group network nat-inside-to-outside network-object 10.0.0.0 255.0.0.0 object-group network dns-server-ip network-object host 10.1.5.1 access-list from-outside extended permit udp any any eq domain access-list from-outside extended deny ip any any log notifications access-list from-inside extended permit udp any any eq domain access-list from-inside extended deny ip any any log errors pager lines 24 logging enable logging timestamp logging buffer-size 500000 logging console warnings logging monitor warnings logging buffered warnings mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static dns-server-ip interface service dns-traffic dns-traffic nat (inside,outside) source dynamic nat-inside-to-outside interface access-group from-outside in interface outside access-group from-inside in interface inside route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous
Any help is appreciated. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide