Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro · ‎06-24-2025

Trying to get a port forward setup for a server behind the firewall and having an issue getting it to work. The traffic appears to be dropping after touching the outside interface, even though an outside ACL is created for this traffic.

Here are the configuration line items:

interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.252

interface GigabitEthernet1/4
nameif DMZ3
security-level 40
ip address 10.12.13.190 255.255.255.0

object network server-1

host 10.12.13.200
nat (DMZ3,outside) static interface service tcp 51210 51210

access-list outside_access_in extended permit tcp any host 10.12.13.200 eq 51210

access-group outside_access_in in interface outside

Am I missing something? All the docs I find on ASA 9 setup this appears to be all you need.

MHM Cisco World · ‎06-25-2025

10.12.13.190 <<- this IP is IP of interface not real IP of Server

MHM

vdzpro · ‎06-25-2025

Sorry, I was trying to obfuscate the IPs and messed up the addresses for the host and access-list. I fixed the config line items above. It should be 10.12.13.200. Even with this config it was not working.

MHM Cisco World · ‎06-25-2025

Can I see

Show run nat

MHM

vdzpro · ‎06-26-2025

Yes, here it is.

nat (DMZ2,outside) source dynamic WSUS interface
nat (DMZ2,outside) source dynamic AV_SVR interface
nat (InternetAccess,outside) source dynamic any interface
nat (DMZ1,outside) source static WebProxy WebProxy destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
nat (DMZ1,outside) source static NETWORK_OBJ_10.12.19.0_24 NETWORK_OBJ_10.12.19.0_24 destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
nat (DMZ1,outside) source dynamic WebProxy interface
!
object network NAT_Mob
nat (DMZ2,outside) dynamic interface
object network server-1
nat (DMZ3,outside) static interface service tcp 51210 51210

MHM Cisco World · ‎06-26-2025

I need to see

Show nat

Not show run (appear NAT config)

What I think is that the NAT order is issue here

There is NAT above your request NAT which make traffic drop

MHM

vdzpro · ‎07-09-2025

Here is the show nat:

Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (outside) source dynamic nlp_client_0_0.0.0.0_17proto53_intf6 interface destination static nlp_client_0_ipv4_2 nlp_client_0_ipv4_2 service nlp_client_0_17svc53_1 nlp_client_0_17svc53_1
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_::_17proto53_intf6 interface ipv6 destination static nlp_client_0_ipv6_4 nlp_client_0_ipv6_4 service nlp_client_0_17svc53_3 nlp_client_0_17svc53_3
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 1)
1 (DMZ2) to (outside) source dynamic WSUS interface
translate_hits = 1489532, untranslate_hits = 2084
2 (DMZ2) to (outside) source dynamic AV_SVR interface
translate_hits = 1803818, untranslate_hits = 23136
3 (InternetAccess) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
4 (DMZ1) to (outside) source static WebProxy WebProxy destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
translate_hits = 568208, untranslate_hits = 1812856
5 (DMZ1) to (outside) source static NETWORK_OBJ_10.12.19.0_24 NETWORK_OBJ_10.12.19.0_24 destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
translate_hits = 3023, untranslate_hits = 3023
6 (DMZ1) to (outside) source dynamic WebProxy interface
translate_hits = 614090, untranslate_hits = 20

Auto NAT Policies (Section 2)
1 (DMZ3) to (outside) source static server-1 interface service tcp 51210 51210
translate_hits = 0, untranslate_hits = 0
2 (DMZ2) to (outside) source dynamic NAT_Mob interface
translate_hits = 0, untranslate_hits = 0

MHM Cisco World · ‎07-09-2025

Run NAT disappear anyway I take look

There is 0 hits for NATing and Un-NATing meaning the traffic not hit NAT at all

1- capute traffic in outside match tcp port 51210' see if traffic reach outside

2- ping from Asa to server' if asa dont have arp or not reachable to server it not NATing traffic

MHM

ahollifield · ‎06-26-2025

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744798.html

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/asa-9-16-asav-asdm-release-7-16-eol.html#:~:text=Cisco%20announces%20the%20end%2Dof,)%20is%20November%2018%2C%202025.

vdzpro · ‎07-09-2025

We are planning a replacement, but trying to get this to work in the meantime.

swj · ‎06-26-2025

Run packet tracer and share the output where it is dropping.

packet-tracer input outside tcp <Source-ip from external> 1234 <Interface-IP-of-Firewall> 51210 share the output to understand what NAT is hitting.

Show log | inc 10.12.13.200/<Source-ip from external>

This too helps understand what is happening.

vdzpro · ‎07-09-2025

Packet-tracer output (official IPs omitted):

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 1.2.3.4 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000555813aa033f flow (NA)/NA

Not sure why the drop since there is a policy to allow the traffic:

access-list outside_access_in extended permit tcp any host 10.12.13.200 eq 51210

access-group outside_access_in in interface outside

MHM Cisco World · ‎07-09-2025

Correct one

Packet tracer input OUTSIDE tcp 1.1.1.1 1234 <outside public IP> 51210 detail

This how you do packet-tracer run it and share result

MHM

swj · ‎07-09-2025

Hi,

ACL drop is expected when we do it on the reverse(Lower-higher sec Lvl) direction, But I want to make sure you tried packet tracer for the Public IP address not the DMZ server IP.

vdzpro · ‎06-27-2025

Thank you for all the responses. I have to schedule the time with the on-site contact, so it takes a little more time to gather the requested information.