Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
2
Replies

Migrate static nat from PIX804 to ASA845

SilkoYuri
Level 1
Level 1

‎01-24-2013 06:03 AM - edited ‎03-11-2019 05:51 PM

Hello every body.

I have configuration on PIX804 :

On Pix804

interface Ethernet2

nameif ins10

security-level 90

ip address 10.1.21.254 255.255.255.0 standby 10.1.21.253

interface Ethernet4.1

vlan 28

nameif intranet

security-level 40

ip address 10.1.15.2 255.255.255.0 standby 10.1.15.15

interface Ethernet5

nameif DMZDPK

security-level 30

ip address 10.1.26.1 255.255.255.0 standby 10.1.26.3

static (DMZDPK,ins10) tcp 10.1.15.43 7799 10.1.26.16 7799 netmask 255.255.255.255

static (DMZDPK,intranet) 10.1.15.43 10.1.26.16 netmask 255.255.255.255

both static work normally.

On ASA

interface GigabitEthernet0/0.7

vlan 28

nameif intranet

security-level 40

ip address 10.1.15.2 255.255.255.0 standby 10.1.15.15

interface GigabitEthernet0/2.1

vlan 29

nameif inside

security-level 99

ip address 10.1.20.254 255.255.255.0 standby 10.1.20.253

interface GigabitEthernet0/2.5

vlan 39

nameif DMZDPK

security-level 30

ip address 10.1.26.1 255.255.255.0 standby 10.1.26.3

object network obj-10.1.26.16 (this static is not work, output packet-tracert is below)

host 10.1.26.16

nat (DMZDPK,ins10) static 10.1.15.43 service tcp 7799 7799

object network obj-10.1.26.16-01 (this static is work)

host 10.1.26.16

nat (DMZDPK,intranet) static 10.1.15.43

ASA5520# packet-tracer input ins10 tcp 10.1.21.6 12345 10.1.15.43 7799

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.15.0       255.255.255.0   intranet

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 131 in interface ins10

access-list 131 extended permit ip host 10.1.21.6 any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4108, packet dispatched to next module

Result:

input-interface: ins10

input-status: up

input-line-status: up

output-interface: intranet

output-status: up

output-line-status: up

Action: allow

On PIX515T(804) in packet-tracert option no Phase 1 - Route-lookup and both static nat works fine.

May I disable on ASA phase route-lookup, that it not send packet on wrong interfaces ?

Labels:
0 Helpful
2 Replies 2

lcambron
Level 3
Level 3

‎01-24-2013 05:07 PM

Hello,

Tthe static nat looks fine, it was migrated correclty.

What doesn't seem right is the packet tracer:

If the connection is coming on interface ins10 and you are trying to connect to IP 10.1.15.43, then it should be something like:

packet in ins10 tcp 8.8.8.8 1025 10.1.15.43 7799

Regards,

Felipe.

0 Helpful

SilkoYuri
Level 1
Level 1
In response to lcambron

‎01-24-2013 11:56 PM

Hello, lcambron.

Thanks for You response.

I resolve this problem.

My manual dynamic nat section overlaps auto-nat static section and packet has wrong route. I remove all manual dynamic nat, and all static nats work fine.

I will make another sequence nat.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card