cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
388
Views
0
Helpful
6
Replies

Help with NAT

Lajja1234
Level 1
Level 1

Hi!

I can't get one of my NAT rules to work. I have a big network with many dmz and production nets.

One server on one of the DMZ are supposed to reach one license server on the inside network. But i can't get it to work. I'm sure im thinking wrong somewhere... I cannot post the config due to security reasons but i can show you how i am thinking.

I am using ASDM because i like the graphical view more than the CLI so please tell me how to do it right in ASDM.

My new NAT rule has the following:

Original

Interface: DMZ-network

Source: Server X

Translated

Interface : Inside

Use IP Adress: Server X

/Lajja1234

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Can you please provide us with the following information

  • Device model =  PIX/ASA/FWSM?
  • Device software = 8.2 or older or 8.3 or newer software level?

Are you familiar with the "packet-tracer" (though this isnt available on the FWSM) command?

This will let you test what rules/configurations match the test traffic you are simulating on the firewall itself

Format for the command is

packet-tracer input

If possible the above output might shed some light on the problem. But to be honest without seeing any configuration it might be hard to give a specific answer or precise help and take into account everything needed.

- Jouni

Hi!

It's a ASA 5520 that runs Version 8.0 and ASDM version 6.1. I am familiar with the packet tracer and packet tracer goes well until it hits the third NAT.

Flow lookup is ok

Route lookup is ok

Access list is ok

Failover ok

NAT ok

NAT ok

NAT failure.

I understand that without the config it's hard. But only point me in the right direction

/Lajja1234

Hi,

Could you post the complete output of the "packet-tracer" ?

- Jouni

Hi!

Below is the complete output of packet-tracer. I can show you pieces of the config, depending on what part you might find interesting.

I have changed the Server and Net names.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.7.100.0      255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_access_in in interface DMZ

access-list DMZ_access_in extended permit tcp host Server1 host Server2 object-group Licenseserver

object-group service Licenseserver tcp

port-object eq 1522

port-object eq 1533

port-object eq 1544

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (DMZ,inside) Server1 Server1 netmask 255.255.255.255

  match ip DMZ host Server1 inside any

    static translation to appextver01

    translate_hits = 1, untranslate_hits = 2

Additional Information:

Static translate Server1/0 to Server1/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,Wan-link) Server1 Server1 netmask 255.255.255.255

  match ip DMZ host Server1 Wan-link any

    static translation to Server1

    translate_hits = 65, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 10.7.0.0 255.255.0.0

  match ip inside 10.7.0.0 255.255.0.0 DMZ any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 201492, untranslate_hits = 0

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

/Lajja1234

Hi,

What are the security levels of the interfaces "inside" and "DMZ"?

Does the DMZ have a public IP address range and are not NATed towards "WAN"? In other words hosts on "DMZ" have actual public IP addresses?

Seems to be something related to the NAT. Though then again Cisco firewalls logs and packet-tracer outputs dont always tell you the exact reason of the problem.

If the following are true

  • "inside" network is 10.7.0.0 255.255.0.0
  • "inside" networks should be able to connect to "DMZ" with their original IP address

I would perhaps try the command

static (inside,DMZ) 10.7.0.0 10.7.0.0 netmask 255.255.0.0

And taking the "packet-tracer" again.

But as I said I cant give any specific information just guess. Its not the best way to start troubleshooting when you are given limited information. I can't for example take into account your whole configuration at all and cant see what I might be effecting.

- Jouni

The security levels are standard, 100 and 50.

The DMZ IP adress is not a public adress. So the hosts on DMZ do not have public adresses.

I understand it is hard to say without the config, well, i can always ask one of my collegues if they have any idea

/Lajja1234

Review Cisco Networking for a $25 gift card