Re: NAT - ASA v9 - outside interface DHCP

greencg · ‎02-17-2020

hi,

I have an ASA with DHCP on the outside interface and I am trying to setup a nat/pat for traffic hitting the outside interface on port 8443 to an internal IP on the same port.

i am using obj nat per below but logs show traffic getting discarded..

object network Myserver_8443

host 10.10.10.10

nat (inside,outside) static interface service tcp 8443 8443

access-list outside_acl line 1 extended permit tcp anyMyserver_8443 eq 8443

--- what i was hoping was: traffic destined to the outside interface on 8443 --> 10.10.10.10 8443

Thanks,

Rob Ingram · ‎02-17-2020

Hi,
Please provide the output of "show nat detail" and also run packet-tracer from the CLI and provide the output. E.g:- "packet-tracer input outside tcp 8.8.8.8 3000 <your outside ip> 8443.

greencg · ‎02-17-2020

Hi,

here it is. Thanks for your help. ( the ip I am actually trying to reach is 10.10.254.254-- i had put 10.10.10.10 in the post above was just to keep things "simple".

sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic obj-10.10.1.0 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.1.0/24, Translated: 172.83.250.10/24
2 (outside) to (inside) source dynamic INT_IP interface
translate_hits = 7, untranslate_hits = 0
Source - Origin: 10.10.2.0/24, Translated: 10.10.254.1/24
3 (inside) to (outside) source dynamic obj-10.10.254.0 interface
translate_hits = 13572, untranslate_hits = 224
Source - Origin: 10.10.254.0/24, Translated: 172.83.250.10/24

packet-tracer input outside tcp 8.8.8.8 3000 172.83.250.10 8443 de

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacdec500, priority=1, domain=permit, deny=false
hits=828499, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.83.250.10 255.255.255.255 identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa8675bc8, priority=1, domain=nat-per-session, deny=true
hits=13839, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacded0a0, priority=0, domain=permit, deny=true
hits=2968, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ACL on the outside interface.

access-list outside_acl line 1 extended permit tcp any host 10.10.254.254 eq 8443

Rob Ingram · ‎02-17-2020

Is that all the NAT rules, where is the NAT rule you defined for MyServer_8443? Re-add if necessary.

Your traffic is probably hitting Manual NAT (Section 1) rule #3 - "(inside) to (outside) source dynamic obj-10.10.254.0 interface". Meaning it would never match your NAT rule for MyServer_8443.

Remove that rule and re-add using "nat (INSIDE,OUTSIDE) after-auto source dynamic obj-10.10.254.0 interface". The after-auto keyword will add the nat rule to the bottom of the NAT list, therefore allowing your MyServer_8443 NAT rule to be matched. Run "show nat detail" again to confirm the NAT rule is now in Manual NAT Rules - Section 3.

HTH

greencg · ‎02-17-2020

made the suggested changes, still get discards..

sh run nat

nat (inside,outside) source dynamic obj-10.10.1.0 interface

nat (outside,inside) source dynamic INT_IP interface

!

object network HA_8443

nat (inside,outside) static interface service tcp 8443 8443

!

nat (inside,outside) after-auto source dynamic obj-10.10.254.0 interface

sh nat detail

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic obj-10.10.1.0 interface

translate_hits = 0, untranslate_hits = 0

Source - Origin: 10.10.1.0/24, Translated: 72.83.250.199/24

2 (outside) to (inside) source dynamic INT_IP interface

translate_hits = 28, untranslate_hits = 0

Source - Origin: 10.10.2.0/24, Translated: 10.10.254.1/24

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static HA_8443 interface service tcp 8443 8443

translate_hits = 0, untranslate_hits = 0

Source - Origin: 10.10.254.254/32, Translated: 72.83.250.199/24

Service - Protocol: tcp Real: 8443 Mapped: 8443

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic obj-10.10.254.0 interface

translate_hits = 199, untranslate_hits = 0

Source - Origin: 10.10.254.0/24, Translated: 72.83.250.199/24

greencg · ‎02-17-2020

took all NAT's out.. and added after source to them while re-adding them back in..and that works.