01-24-2013 06:03 AM - edited 03-11-2019 05:51 PM
Hello every body.
I have configuration on PIX804 :
On Pix804
interface Ethernet2
nameif ins10
security-level 90
ip address 10.1.21.254 255.255.255.0 standby 10.1.21.253
interface Ethernet4.1
vlan 28
nameif intranet
security-level 40
ip address 10.1.15.2 255.255.255.0 standby 10.1.15.15
interface Ethernet5
nameif DMZDPK
security-level 30
ip address 10.1.26.1 255.255.255.0 standby 10.1.26.3
static (DMZDPK,ins10) tcp 10.1.15.43 7799 10.1.26.16 7799 netmask 255.255.255.255
static (DMZDPK,intranet) 10.1.15.43 10.1.26.16 netmask 255.255.255.255
both static work normally.
On ASA
interface GigabitEthernet0/0.7
vlan 28
nameif intranet
security-level 40
ip address 10.1.15.2 255.255.255.0 standby 10.1.15.15
interface GigabitEthernet0/2.1
vlan 29
nameif inside
security-level 99
ip address 10.1.20.254 255.255.255.0 standby 10.1.20.253
interface GigabitEthernet0/2.5
vlan 39
nameif DMZDPK
security-level 30
ip address 10.1.26.1 255.255.255.0 standby 10.1.26.3
object network obj-10.1.26.16 (this static is not work, output packet-tracert is below)
host 10.1.26.16
nat (DMZDPK,ins10) static 10.1.15.43 service tcp 7799 7799
object network obj-10.1.26.16-01 (this static is work)
host 10.1.26.16
nat (DMZDPK,intranet) static 10.1.15.43
ASA5520# packet-tracer input ins10 tcp 10.1.21.6 12345 10.1.15.43 7799
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.15.0 255.255.255.0 intranet
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 131 in interface ins10
access-list 131 extended permit ip host 10.1.21.6 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4108, packet dispatched to next module
Result:
input-interface: ins10
input-status: up
input-line-status: up
output-interface: intranet
output-status: up
output-line-status: up
Action: allow
On PIX515T(804) in packet-tracert option no Phase 1 - Route-lookup and both static nat works fine.
May I disable on ASA phase route-lookup, that it not send packet on wrong interfaces ?
01-24-2013 05:07 PM
Hello,
Tthe static nat looks fine, it was migrated correclty.
What doesn't seem right is the packet tracer:
If the connection is coming on interface ins10 and you are trying to connect to IP 10.1.15.43, then it should be something like:
packet in ins10 tcp 8.8.8.8 1025 10.1.15.43 7799
Regards,
Felipe.
01-24-2013 11:56 PM
Hello, lcambron.
Thanks for You response.
I resolve this problem.
My manual dynamic nat section overlaps auto-nat static section and packet has wrong route. I remove all manual dynamic nat, and all static nats work fine.
I will make another sequence nat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide