02-17-2020 11:13 AM
hi,
I have an ASA with DHCP on the outside interface and I am trying to setup a nat/pat for traffic hitting the outside interface on port 8443 to an internal IP on the same port.
i am using obj nat per below but logs show traffic getting discarded..
object network Myserver_8443
host 10.10.10.10
nat (inside,outside) static interface service tcp 8443 8443
access-list outside_acl line 1 extended permit tcp anyMyserver_8443 eq 8443
--- what i was hoping was: traffic destined to the outside interface on 8443 --> 10.10.10.10 8443
Thanks,
02-17-2020 01:13 PM
02-17-2020 01:58 PM
Hi,
here it is. Thanks for your help. ( the ip I am actually trying to reach is 10.10.254.254-- i had put 10.10.10.10 in the post above was just to keep things "simple".
sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic obj-10.10.1.0 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.1.0/24, Translated: 172.83.250.10/24
2 (outside) to (inside) source dynamic INT_IP interface
translate_hits = 7, untranslate_hits = 0
Source - Origin: 10.10.2.0/24, Translated: 10.10.254.1/24
3 (inside) to (outside) source dynamic obj-10.10.254.0 interface
translate_hits = 13572, untranslate_hits = 224
Source - Origin: 10.10.254.0/24, Translated: 172.83.250.10/24
packet-tracer input outside tcp 8.8.8.8 3000 172.83.250.10 8443 de
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacdec500, priority=1, domain=permit, deny=false
hits=828499, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.83.250.10 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa8675bc8, priority=1, domain=nat-per-session, deny=true
hits=13839, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacded0a0, priority=0, domain=permit, deny=true
hits=2968, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ACL on the outside interface.
access-list outside_acl line 1 extended permit tcp any host 10.10.254.254 eq 8443
02-17-2020 02:29 PM
Is that all the NAT rules, where is the NAT rule you defined for MyServer_8443? Re-add if necessary.
Your traffic is probably hitting Manual NAT (Section 1) rule #3 - "(inside) to (outside) source dynamic obj-10.10.254.0 interface". Meaning it would never match your NAT rule for MyServer_8443.
Remove that rule and re-add using "nat (INSIDE,OUTSIDE) after-auto source dynamic obj-10.10.254.0 interface". The after-auto keyword will add the nat rule to the bottom of the NAT list, therefore allowing your MyServer_8443 NAT rule to be matched. Run "show nat detail" again to confirm the NAT rule is now in Manual NAT Rules - Section 3.
HTH
02-17-2020 03:46 PM
made the suggested changes, still get discards..
sh run nat
nat (inside,outside) source dynamic obj-10.10.1.0 interface
nat (outside,inside) source dynamic INT_IP interface
!
object network HA_8443
nat (inside,outside) static interface service tcp 8443 8443
!
nat (inside,outside) after-auto source dynamic obj-10.10.254.0 interface
sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic obj-10.10.1.0 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.1.0/24, Translated: 72.83.250.199/24
2 (outside) to (inside) source dynamic INT_IP interface
translate_hits = 28, untranslate_hits = 0
Source - Origin: 10.10.2.0/24, Translated: 10.10.254.1/24
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HA_8443 interface service tcp 8443 8443
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.254.254/32, Translated: 72.83.250.199/24
Service - Protocol: tcp Real: 8443 Mapped: 8443
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic obj-10.10.254.0 interface
translate_hits = 199, untranslate_hits = 0
Source - Origin: 10.10.254.0/24, Translated: 72.83.250.199/24
02-17-2020 05:55 PM
took all NAT's out.. and added after source to them while re-adding them back in..and that works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: