Re: Issues with ASA 5505 - Unable to Static NAT for Incoming Con

jackdobiash · ‎07-01-2008

I have a new ASA 5505 I've been messing around with. I'm setting it up between two different private IP based networks (two different companies) and with it is a static nat mapping to allow them to access one of our machines. The "public" IP address assigned to the mapping is dedicated only for this purpose. For some reason the Packet-Tracer keeps stopping on the NAT section with an RPF-CHECK, but the config looks ok. Any help is appeciated. The relevent config is posted below. Thanks!

------------------

ASA Version 7.2(4)

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.10.58 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.243.32.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

object-group service rdp tcp

description Remote Desktop Protocol

port-object eq 3389

access-list outside_access_in extended permit icmp any host 10.0.10.25

access-list outside_access_in extended permit tcp any host 10.0.10.25 eq ftp

access-list outside_access_in extended permit tcp any host 10.0.10.25 eq telnet

access-list outside_access_in extended permit tcp any host 10.0.10.25 eq 3389

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.243.32.10 10.0.10.25 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.243.32.1 1

route outside 10.0.0.0 255.255.0.0 10.0.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 10.0.10.0 255.255.255.0 inside

telnet 10.0.10.0 255.255.255.0 inside

telnet timeout 5

ssh 10.0.10.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

-------------------

jackdobiash · ‎07-01-2008

-------------------

Output of command: packet-tracer input outside tcp 10.243.32.9 1069 10.0.10.25 3389 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3d66778, priority=1, domain=permit, deny=false

hits=3360, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.10.0 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any host 10.0.10.25 eq 3389

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3da4fc0, priority=12, domain=permit, deny=false

hits=22, user_data=0x3da4f80, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.0.10.25, mask=255.255.255.255, port=3389, dscp=0x0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3d49bb8, priority=0, domain=permit-ip-option, deny=true

hits=1406, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,outside) 10.243.32.10 10.0.10.25 netmask 255.255.255.255

nat-control

match ip inside host 10.0.10.25 outside any

static translation to 10.243.32.10

translate_hits = 195, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3d1c848, priority=5, domain=nat-reverse, deny=false

hits=10, user_data=0x39f0110, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.0.10.25, mask=255.255.255.255, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jon Marshall · ‎07-01-2008

Jack

Not entirely clear on what you are trying to do. If you have Natted 10.0.10.25 to 10.243.32.10 then your access-list on your outside interface should be permitting access to 10.243.32.10 and not 10.0.10.25 ie.

access-list outside_access_in extended permit icmp any host 10.0.10.25

access-list outside_access_in extended permit tcp any host 10.0.10.25 eq ftp

access-list outside_access_in extended permit tcp any host 10.0.10.25 eq telnet

access-list outside_access_in extended permit tcp any host 10.0.10.25 eq 3389

change all instances of 10.0.10.25 to 10.243.32.10 in the above acl and then from outside access 10.243.32.10.

If you want to access 10.0.10.25 directly from outside

static (inside,outside) 10.0.10.25 10.0.10.25 netmask 255.255.255.255

Jon

jackdobiash · ‎07-01-2008

Jon, thanks for the reply. Let me try and explain a little bit more.

The Private (Inside) network is 10.0.10.0/24 and the Public (Outside) network is 10.243.32.0/24. I'm trying to translate the 'public' address of 10.243.32.10 to the private address of 10.0.10.25. As far as I can tell it's setup correctly (this was done via the ASDM but the direct config looks ok too), but yet the Packet-Tracker keeps kicking back an error. I've tried putting a machine on the 'outside' with an IP of 10.243.32.9 and then attempted to RDP to 10.243.32.10 (which should translate back to 10.0.10.25) but it doens't appear to work.

Thanks for the help!

Jon Marshall · ‎07-01-2008

Jack

Can you clarify a bit more. Are you initiating the connection from outside and trying to RDP through to the inside host of 10.0.10.25 ?

If so you cannot leave the config as is and connect to 10.0.10.25 as the destination address. You need to make the destination address 10.243.32.10 and you need to update your access-list.

Could you explain in terms of src and dst IP addresses what connectiokn you are trying to make.

Apologies for being a bit slow :-)

Jon

jackdobiash · ‎07-01-2008

Yes, I am trying to initiate from the outside to RDP to the inside host. I'll update the ACL's and give it a shot, thx!

jackdobiash · ‎07-01-2008

Boom, that was it! I don't know why I kept thinking the ACL had to be for the internal IP and not the external. Oh well, at least now I should remember. Thanks!

Jon Marshall · ‎07-02-2008

Thanks for letting me know it worked. Glad to have helped.

Jon

Issues with ASA 5505 - Unable to Static NAT for Incoming Connections