02-17-2020 11:13 AM
hi,
I have an ASA with DHCP on the outside interface and I am trying to setup a nat/pat for traffic hitting the outside interface on port 8443 to an internal IP on the same port.
i am using obj nat per below but logs show traffic getting discarded..
object network Myserver_8443
host 10.10.10.10
nat (inside,outside) static interface service tcp 8443 8443
access-list outside_acl line 1 extended permit tcp anyMyserver_8443 eq 8443
--- what i was hoping was: traffic destined to the outside interface on 8443 --> 10.10.10.10 8443
Thanks,
02-17-2020 01:13 PM
02-17-2020 01:58 PM
Hi,
here it is. Thanks for your help. ( the ip I am actually trying to reach is 10.10.254.254-- i had put 10.10.10.10 in the post above was just to keep things "simple".
sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic obj-10.10.1.0 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.1.0/24, Translated: 172.83.250.10/24
2 (outside) to (inside) source dynamic INT_IP interface
translate_hits = 7, untranslate_hits = 0
Source - Origin: 10.10.2.0/24, Translated: 10.10.254.1/24
3 (inside) to (outside) source dynamic obj-10.10.254.0 interface
translate_hits = 13572, untranslate_hits = 224
Source - Origin: 10.10.254.0/24, Translated: 172.83.250.10/24
packet-tracer input outside tcp 8.8.8.8 3000 172.83.250.10 8443 de
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacdec500, priority=1, domain=permit, deny=false
hits=828499, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.83.250.10 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa8675bc8, priority=1, domain=nat-per-session, deny=true
hits=13839, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacded0a0, priority=0, domain=permit, deny=true
hits=2968, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ACL on the outside interface.
access-list outside_acl line 1 extended permit tcp any host 10.10.254.254 eq 8443
02-17-2020 02:29 PM
Is that all the NAT rules, where is the NAT rule you defined for MyServer_8443? Re-add if necessary.
Your traffic is probably hitting Manual NAT (Section 1) rule #3 - "(inside) to (outside) source dynamic obj-10.10.254.0 interface". Meaning it would never match your NAT rule for MyServer_8443.
Remove that rule and re-add using "nat (INSIDE,OUTSIDE) after-auto source dynamic obj-10.10.254.0 interface". The after-auto keyword will add the nat rule to the bottom of the NAT list, therefore allowing your MyServer_8443 NAT rule to be matched. Run "show nat detail" again to confirm the NAT rule is now in Manual NAT Rules - Section 3.
HTH
02-17-2020 03:46 PM
made the suggested changes, still get discards..
sh run nat
nat (inside,outside) source dynamic obj-10.10.1.0 interface
nat (outside,inside) source dynamic INT_IP interface
!
object network HA_8443
nat (inside,outside) static interface service tcp 8443 8443
!
nat (inside,outside) after-auto source dynamic obj-10.10.254.0 interface
sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic obj-10.10.1.0 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.1.0/24, Translated: 72.83.250.199/24
2 (outside) to (inside) source dynamic INT_IP interface
translate_hits = 28, untranslate_hits = 0
Source - Origin: 10.10.2.0/24, Translated: 10.10.254.1/24
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HA_8443 interface service tcp 8443 8443
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.254.254/32, Translated: 72.83.250.199/24
Service - Protocol: tcp Real: 8443 Mapped: 8443
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic obj-10.10.254.0 interface
translate_hits = 199, untranslate_hits = 0
Source - Origin: 10.10.254.0/24, Translated: 72.83.250.199/24
02-17-2020 05:55 PM
took all NAT's out.. and added after source to them while re-adding them back in..and that works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide