hello cofee,

i applied the first config and here is the out put.

packet-tracer input outside rawip 192.168.71.230 0 10.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   10.178.5.0      255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2be28320, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.71.230, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

here is from inside to outside

 packet-tracer input inside rawip 10.178.5.250 0 192.168$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.68.0    255.255.252.0   outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static AV_Inside AV_outside
Additional Information:
Static translate 10.178.5.250/0 to 192.168.71.233/0
 Forward Flow based lookup yields rule:
 in  id=0x7fff2b6144d0, priority=6, domain=nat, deny=false
        hits=2, user_data=0x7fff2c6e9c90, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.178.5.250, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2ac2f460, priority=0, domain=nat-per-session, deny=true
        hits=47606, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2190e3b0, priority=0, domain=inspect-ip-options, deny=true
        hits=46818, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static AV_Inside AV_outside
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2ac3fe90, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0x7fff2bf80ad0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.178.5.250, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2c6eb690, priority=0, domain=user-statistics, deny=false
        hits=23566, user_data=0x7fff2bae5890, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

here is the config

object network AV_Inside
 host 10.178.5.250
object network AV_outside
 host 192.168.71.233

nat (inside,outside) source static AV_Inside AV_outside

access-list OUT extended permit ip any object AV_Inside

You haven't explained what you are trying to accomplish. Does this address 192.168.95.233 belong to anti-virus server that's connected to outside interface and you are trying to nat it to an ip address that's already being used by inside anti-virus 10.7.2.25?

There could be number of reasons for getting (sp-security-failed) Slowpath security checks failed:

Name: sp-security-failed

Slowpath security checks failed:

    This counter is incremented and packet is dropped when the security appliance is:

    1) In routed mode receives a through-the-box:

       - L2 broadcast packet

       - IPv4 packet with destination IP address equal to 0.0.0.0

       - IPv4 packet with source IP address equal to 0.0.0.0

    2) In routed or transparent mode and receives a through-the-box IPv4 packet with:

       - first octet of the source IP address equal to zero

       - source IP address equal to the loopback IP address

       - network part of source IP address equal to all 0's

       - network part of the source IP address equal to all 1's

       - source IP address host part equal to all 0's or all 1's

    3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source
and destination IP addresses

Recommendation:

    1 and 2) Determine if an external user is trying to compromise the protected network.
Check for misconfigured clients.

    3) If this message counter is incrementing rapidly, an attack may be in progress. Use
the packet capture feature to capture type asp packets, and check the source MAC address
in the packet to see where they are coming from.

thank you for the quick reply. apologies for note explaining in detail what i want to setup.

our antivirus ip address is 10.178.5.250 (this is inside network), where as other department X which we classified as outside network, they have a proxy antivirus (address 192.168.71.232) they (department X client) all connected to this address 192.168.71.232 for virus defination to update. now we need to get this proxy server 192.168.71.232 to get its updates from our internal antiversiu server address 10.178.5.250. and this is what i am creating rules for. plese let me know if this make sense to you.

Thanks for the explanation. Just to make it clear one more time so we are on the same page.

Inside anti-virus (inside local) - 10.178.5.250

Inside anti-virus (inside global) - 192.168.95.233

Outside anti-virus - 192.168.71.232 ( it needs to talk to 192.168.95.233/10.178.5.250

You configuration appears to be fine that you sent earlier. Let's do it one more time.

object network AV_Inside

host 10.7.2.250

object network AV_outside

host 192.168.95.233

nat (inside,outside) source static AV_Inside AV_outside

access-list name extended permit protocol host 192.168.71.232 host 10.7.2.250 log

This should work as long as basic layer 3 reachability is there. Please look at the NAT order to see there is no conflict and your internal server is getting NATed to the configured address. Also look at the ACL order to make sure this ACL is not getting denied by some other ACL above it. Packet tracer should give you all that information.

Also can you try to initiate the connection from the outside anti-virus server to the inside anti-virus and then check the logs for any potential issues, also check the connection table and xlate table (sh xlate) to make sure internal server is getting nated to the right address.

You also want to make sure that your outside anti-virus server is properly configured to talk to internal anti-virus server and vice versa. Should also check for any policy on both servers that would prevent them from talking to each other and pull files.

Hello Cofee,

apologies for making mess up as in my second post i put the original ip addresses.

so let me clear this so we are on one page.

Inside anti-virus (inside interface) - 10.178.5.250

outside anti-virus (outside interface) - 192.168.71.232

Outside anti-virus - 192.168.71.232 ( it needs to talk to 10.178.5.250)

i apologise again as i hide the ip address now i put everything as real. also just to let you know the asa version is 9.x

That's fine. Just choose any available address (that's not assigned to any device) on the outside network and use that to nat your inside anti-virus server .

hello cofee,

i ended up with a different nat rule.

as my outside firewall interface ip address is 192.168.71.254 and the requirement was 

Inside anti-virus (inside interface) - 10.178.5.250

outside anti-virus (outside interface) - 192.168.71.232

Outside anti-virus - 192.168.71.232 ( it needs to talk to 10.178.5.250)

object network AV

 host 10.178.5.250

nat (inside,outside) static interface server tcp 8014 8014

access-list AV extended permit tcp any object AV eq 8014

this above config worked without using a spare outside address.

Good to know. There are different ways to implement NAT . For example identity NAT can also be used which doesn't take up any extra address.

Thanks for letting me know.

Hi Cofee,

could you kindly explain how i can implement identity NAT in this scenario please.

Inside anti-virus (inside server) - 10.178.5.250

outside anti-virus (outside server) - 192.168.71.232

my firewall outside interface ip address 192.168.71.254 (For Example)

Outside anti-virus - 192.168.71.232 ( it needs to talk to 10.178.5.250)

object network AV

 host 10.178.5.250

nat (inside,outside) static interface server tcp 8014 8014

access-list AV extended permit tcp any object AV eq 8014

by giving the above command in asa. from outside the antivirus server which is acting as proxy when i go into this proxy antivirus and initiate telnet with ip address in it 192.168.71.254 (which is my outside firewall interface address) with port 8014 this address mapped with inside server 10.178.5.250 and connection opened.

Identity NAT:

object network AV

host 10.178.5.250

nat (inside,outside) static AV service tcp 8014 8014

you won't have to do anything with the acl.

Please let me know if this answers your question.

Hello cofee.

nat (inside,outside) static AV service tcp 8014 8014

in this above command will the outside server will communicate to the outside interface of firewall ip address. if so this is very similar to the command i wrote earlier,

nat (inside,outside) static interface service tcp 8014 8014

*  With this identity NAT outside server will communicate directly to the real IP and not the outside address.

* The one that you configured you are NATing 10.178.5.250 to the IP address of outside interface of firewall.

Let me know if this makes sense.