Solved: Re: nat error

cisco_sigfa · ‎10-04-2012

I haver configure an access from a vpn zone to a server on dmz6 but it is not working

access-list vpn-inside-inbound extended permit tcp 10.32.67.0 255.255.255.0 host 10.1.76.40

static (dmz6-tmp,vpn-inside) 10.1.76.40 10.1.74.127 netmask 255.255.255.255 dns tcp 300 100

When i run a packet-tracer this is what i got.

PERIMETRAL# packet-tracer input vpn-inside tcp 10.32.67.31 1026 10.1.76.40 205$

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7ab427a8, priority=12, domain=capture, deny=false

hits=14225563, user_data=0x7b477a28, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x75bba118, priority=1, domain=permit, deny=false

hits=80685264, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (dmz6-tmp,vpn-inside) 10.1.76.40 10.1.74.127 netmask 255.255.255.255 dns tcp 300 100

nat-control

match ip dmz6-tmp host 10.1.74.127 vpn-inside any

static translation to 10.1.76.40

translate_hits = 0, untranslate_hits = 6265

Additional Information:

NAT divert to egress interface dmz6-tmp

Untranslate 10.1.76.40/0 to 10.1.74.127/0 using netmask 255.255.255.255

Phase: 5

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.32.67.0 255.255.255.0 vpn-inside

Phase: 6

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group vpn-inside-inbound in interface vpn-inside

access-list vpn-inside-inbound extended permit tcp 10.32.67.0 255.255.255.0 host 10.1.76.40

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7c37d2e0, priority=12, domain=permit, deny=false

hits=51, user_data=0x771701c0, cs_id=0x0, flags=0x0, protocol=6

src ip=10.32.67.0, mask=255.255.255.0, port=0

dst ip=10.1.76.40, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x75bbcd90, priority=0, domain=permit-ip-option, deny=true

hits=8704521, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map class_ftp

match port tcp eq 20573

policy-map global_policy

class class_ftp

inspect ftp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0x77ddbe48, priority=70, domain=inspect-ftp, deny=false

hits=1464, user_data=0x77ddb7e8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=20573, dscp=0x0

Phase: 9

Type: NAT-EXEMPT

Subtype: rpf-check

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x762c1a08, priority=6, domain=nat-exempt-reverse, deny=false

hits=626, user_data=0x762c1798, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.0.0.0, port=0

dst ip=10.1.74.0, mask=255.255.255.0, port=0, dscp=0x0

Result:

input-interface: vpn-inside

input-status: up

input-line-status: up

output-interface: vpn-inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Julio Carvajal · ‎10-05-2012

Hello Edmundo,

Okay based on the configuration here are my recomendations:

1)10.1.76. subnet does not exist on your network, I mean no interface attached to that, you do not have a route to that witch means you will need to proxy arp that IP.

Do the following changes and run the packet tracer.

access-list dmz6-tmp-nat line 1 deny ip host 10.1.74.127 any

access-list vpn-inside-nat extended line1 permit ip any host 10.1.76.40

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-04-2012

Hello Edmundo,

Looks like the packet on the way back is not gettting natted as it should

Please share the following:

sh nameif

Sh run nat

Sh run global

Sh run static

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_sigfa · ‎10-05-2012

PERIMETRAL# show nameif

Interface Name Security

GigabitEthernet0/0.10 outside 0

GigabitEthernet0/0.73 vpn-inside 35

GigabitEthernet0/0.75 siscae 10

GigabitEthernet0/0.80 dmz2 80

GigabitEthernet0/0.101 dmz6-tmp 39

GigabitEthernet0/0.103 dmz3 70

GigabitEthernet0/0.105 dmz5 30

GigabitEthernet0/0.110 outside-s 5

GigabitEthernet0/1.118 dmz4 60

GigabitEthernet0/2.100 inside 100

Management0/0 management 100

PERIMETRAL# show run nat

nat (vpn-inside) 0 access-list vpn-inside-nat

nat (siscae) 0 access-list siscae-nat

nat (dmz2) 0 access-list mars

nat (dmz2) 1 10.1.66.33 255.255.255.255

nat (dmz2) 67 10.1.66.66 255.255.255.255

nat (dmz2) 68 10.1.66.67 255.255.255.255

nat (dmz2) 66 10.1.66.253 255.255.255.255

nat (dmz6-tmp) 0 access-list dmz6-tmp-nat

nat (dmz3) 0 access-list dmz3-nat

nat (dmz5) 0 access-list dmz5-nat

nat (outside-s) 0 access-list outside-s-nat

nat (dmz4) 0 access-list dmz4-nat

nat (dmz4) 20 access-list acceso-ministro

nat (dmz4) 21 access-list acceso-prueba

nat (inside) 0 access-list inside-nat

show run global

global (outside) 1 10.255.255.100

global (outside) 1 10.255.255.103

global (outside) 66 10.1.66.253 netmask 255.255.255.255

global (outside) 67 10.1.66.66 netmask 255.255.255.255

global (outside) 68 10.1.66.67 netmask 255.255.255.255

global (dmz5) 20 10.16.152.220

global (dmz5) 21 10.16.152.221

global (dmz5) 66 10.1.66.253 netmask 255.255.255.255

global (dmz4) 66 10.1.66.253 netmask 255.255.255.255

global (dmz4) 67 10.1.66.66 netmask 255.255.255.255

global (dmz4) 68 10.1.66.67 netmask 255.255.255.255

show run nat

static (vpn-inside,dmz6-tmp) SVDGTEC31 10.1.70.30 netmask 255.255.255.255 dns tcp 300 100

static (dmz6-tmp,vpn-inside) tcp 10.1.70.50 www 10.1.74.50 www netmask 255.255.255.255 dns tcp 300 100

static (dmz6-tmp,vpn-inside) 10.1.74.70 10.1.74.70 netmask 255.255.255.255 dns

static (dmz6-tmp,vpn-inside) 10.1.76.40 10.1.74.127 netmask 255.255.255.255 dns tcp 300 100

static (dmz6-tmp,vpn-inside) 10.1.70.30 SVDGTEC31 netmask 255.255.255.255 dns tcp 300 100

Julio Carvajal · ‎10-05-2012

Please provide

show run access-list vpn-inside-nat

show run access-list dmz6-tmp-nat

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_sigfa · ‎10-05-2012

These are the access-list:

vpn-inside-nat

access-list vpn-inside-nat extended permit ip 10.255.10.0 255.255.255.0 host 10.1.74.127

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host SISCAE

access-list vpn-inside-nat extended permit ip 192.168.99.0 255.255.255.0 10.1.96.0 255.255.255.0

access-list vpn-inside-nat extended permit ip 192.168.99.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list vpn-inside-nat extended permit ip 192.168.30.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list vpn-inside-nat extended permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list vpn-inside-nat extended permit ip 192.168.21.0 255.255.255.0 any

access-list vpn-inside-nat extended permit ip 192.168.10.0 255.255.255.0 host 10.1.70.30

access-list vpn-inside-nat extended permit ip 172.16.100.0 255.255.255.0 10.1.74.0 255.255.255.0

access-list vpn-inside-nat extended permit ip 192.168.10.0 255.255.255.0 host 10.1.74.40

access-list vpn-inside-nat extended permit ip 10.1.73.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list vpn-inside-nat extended permit ip 10.1.73.0 255.255.255.0 any

access-list vpn-inside-nat extended permit ip host 192.168.108.32 10.0.0.0 255.0.0.0

access-list vpn-inside-nat extended permit ip host 192.168.108.32 10.1.0.0 255.255.0.0

access-list vpn-inside-nat extended permit ip 192.168.78.0 255.255.255.0 host 10.1.70.41

access-list vpn-inside-nat extended permit ip 192.168.78.0 255.255.255.0 host SVDGTEC31

access-list vpn-inside-nat extended permit ip 10.255.10.0 255.255.255.0 host 10.1.76.40

access-list vpn-inside-nat extended permit ip 10.255.10.0 255.255.255.0 host 10.1.75.40

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host 10.1.121.10

access-list vpn-inside-nat extended permit ip 192.168.99.0 255.255.255.0 10.1.128.0 255.255.255.0

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host 10.1.75.55

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host 10.1.75.51

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host 10.1.75.52

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host 10.1.75.53

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host 10.1.75.56

access-list vpn-inside-nat extended permit ip 192.168.70.0 255.255.255.0 host 10.1.75.54

dmz6-tmp-nat

access-list dmz6-tmp-nat extended permit ip host 10.1.74.70 192.168.74.0 255.255.255.0

access-list dmz6-tmp-nat extended permit ip host 10.1.74.70 10.1.115.0 255.255.255.0

access-list dmz6-tmp-nat extended permit ip 10.1.74.0 255.255.255.0 10.1.116.0 255.255.255.0

access-list dmz6-tmp-nat extended deny ip host 10.1.74.70 10.0.0.0 255.0.0.0

access-list dmz6-tmp-nat extended deny ip 10.1.74.0 255.255.255.0 host 10.1.73.32

access-list dmz6-tmp-nat extended deny ip 10.1.74.0 255.255.255.0 host 10.1.73.33

access-list dmz6-tmp-nat extended deny ip 10.1.74.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list dmz6-tmp-nat extended deny ip 10.1.74.0 255.255.255.0 10.255.10.0 255.255.255.0

access-list dmz6-tmp-nat extended permit ip 10.1.74.0 255.255.255.0 10.0.0.0 255.0.0.0

Regards

Edmundo

Julio Carvajal · ‎10-05-2012

Hello Edmundo,

Please add the following

access-list vpn-inside-nat extended permit ip 10.32.67.0 255.255.255.0 host 10.1.76.40

Then do the packet tracer again

packet-tracer input vpn-inside tcp 10.32.67.20 1025 10.1.76.40 80

Regards,

Any other question..Just remember to rate all the helpful posts..

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_sigfa · ‎10-05-2012

Hello, jcarvaj!

I have already tried it, but the problem still continuos.

PERIMETRAL# show run access-list vpn-inside-nat