Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
0
Replies

Forward Traffic on ASA

nonamer15
Level 1
Level 1

‎06-17-2020 05:21 PM

I have the below topology.

 

topo.jpg

 

What I'm trying to do is forward traffic coming from 192.168.1.73 destined for 192.168.1.222 port 53 to 10.1.5.1. Ideally, I'd like the firewall to keep the source IP intact on the request. When 192.168.1.73 sends a request to 192.168.1.222 and the firewall forwards that request to 10.1.5.1, the source IP of 192.168.1.73 shouldn't change. For the response, I'd like the source IP to be replaced with the firewall's IP. When 10.1.5.1 responds to 192.168.1.73, the firewall should replace the source IP with its own (192.168.1.222).

 

I've tried a variety of nat statements to get this to work, but none have. There's an inbound ACL applied to the outside interface (from-outside). However, I never see a hit count on line 1. When I do a debug on the firewall and attempt a request, I see the below.

%ASA-7-710005: UDP request discarded from 192.168.1.73/51572 to outside:192.168.1.222/53

 

I've never really used the packet-tracer feature, but it's indicating that the traffic isn't allowed.

fw1# packet-tracer input outside udp 192.168.1.73 51572 192.168.1.222 53 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.222   255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Below is the configuration of the firewall, including the model and version.

fw1#  sh run
: Saved
: 
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)32 
!
hostname fw1
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.222 255.255.255.0 
!             
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.5
 vlan 5
 nameif inside
 security-level 0
 ip address 10.1.5.254 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name home.local
same-security-traffic permit inter-interface
object service dns-traffic
 service udp destination eq domain 
object-group network nat-inside-to-outside
 network-object 10.0.0.0 255.0.0.0
object-group network dns-server-ip
 network-object host 10.1.5.1
access-list from-outside extended permit udp any any eq domain 
access-list from-outside extended deny ip any any log notifications 
access-list from-inside extended permit udp any any eq domain 
access-list from-inside extended deny ip any any log errors 
pager lines 24
logging enable
logging timestamp
logging buffer-size 500000
logging console warnings
logging monitor warnings
logging buffered warnings
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static dns-server-ip interface service dns-traffic dns-traffic
nat (inside,outside) source dynamic nat-inside-to-outside interface
access-group from-outside in interface outside
access-group from-inside in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

 

Any help is appreciated. Thanks.

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card