Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
5
Helpful
6
Replies

NAT issue on ASA5510 using 9.01

Go to solution
Bart Olofsen
Level 1
Level 1

‎02-10-2015 02:18 AM - edited ‎03-11-2019 10:28 PM

Hey all,

 

I recently upgraded this firewall to 9.01. Last week I tried to setup a port forwarding for a customers server. Done this before, did not expect any problems, but they appeared regardless of my expectations.

The server is unable to access the internet and reaching it through the available ports does not work either.

Attached is the config I used and the output from the packet-tracer I used to troubleshoot the problem.

To my surprise, the ASA decides to NAT the outgoing traffic twice. Once to the public IP address I reserved for the server and a second time, using the IP address I reserved for the entire customers network.

I tried a differnet setup where I specified each port needed in turn, but the problem remained.

Searched the internet for any other occasions of this problem, but was unable to find anything similar.

Hope somebody is able to shed some lioght on this problem.

 

 

Labels:
Preview file
8 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Bart Olofsen

‎02-10-2015 05:33 AM

Hi,

 

Again the output seems correct.

 

Your output does seem to show CONN-SETTINGS and QOS Phases which to my understanding should refer to a configuration you have done regarding bandwidth. I have not used those setting on the ASA myself (we handle them on Routers) so I am not sure what kind of output to expect in a normal situation. I might be able to check this when I am at home with my ASA.

 

In your output we can see that your ASA can ping the TCP port but an external host can not see a SYN ACK reply to the SYN it sent. This would seem to point that the servers default gateway is configured wrong. This would explain that it replies from a directly connected subnet (ASA will use the interface IP address to my understanding if no actual source address is not defined in the "ping tcp" command) but not from an external network.

 

Can you check the server network interface cards configuration or have it checked that its using the ASA interface IP address as the default gateway.

 

- Jouni

View solution in original post

6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-10-2015 03:00 AM

Hi,

 

The "packet-tracer" output seems normal. If you mean the other Dynamic translation showing up in the output then that is normal. I am not sure why the ASA shows it even though its not applied.


I am not sure if the "packet-tracer" command is the one which output we are looking at. I mean that it mentions the port as TCP/8000 while that was not used in the actual "packet-tracer" command as the source.

 

In the Phase with the Static NAT you can see that its applied. In the Phase where it mentions the Dynamic PAT translation you should also see a message that clearly indicates if an actual translation is performed.

 

Static NAT Applied

 

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network DOOGLE1
 nat (DOOGLE,outside) static PUB-IP-2
Additional Information:
Static translate 10.6.9.50/8000 to PUB-IP-2/8000

 

Dynamic PAT mentioned but not applied (no information after the "Additional Information" section)

 

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DOOGLE,outside) after-auto source dynamic DOOGLE WAN-IP-DOOGLE
Additional Information:

 

So considering the above the traffic seems to be matching the correct NAT when going to the external network

 

I would however been interested in seeing the output of the "packet-tracer" from "outside" to "DOOGLE" also to confirm that that direction also matches this same Static NAT rule.

 

It would seem to me that the problem might be somewhere else. I would look at the following things.

 

  • Make sure the public IP address used does not have TYPOs or that the IP in question is actually routed towards your ASA from the ISP. If its part of the directly connected subnet on "outside" interface then there naturally should be no problems.
  • As the internal server is part of the directly connected LAN subnet I would check if the ASA can see the internal host with ARP. You could use for example "show arp | inc DOOGLE" command and see if the mentioned IP address is visible. You can ping the host before issuing the above command.
  • If you can see the host in the ARP then I would make sure that the default gateway on the server is configured correctly as your interface is using .5. Perhaps the server was configured with .1 by mistake?
  • You can test the server ports with TCP Ping from the ASA directly with the command "ping tcp 10.6.9.50 <destination port>". This this will make the ASA send TCP SYN messages to the host and see if it gets SYN ACK replies.

 

If I have not missed something the configurations you posted seem fine so I am not sure if the problem is on the ASA itself. I am not sure where the object "WAN-IP-DOOGLE1" is used though.

 

Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
Bart Olofsen
Level 1
Level 1
In response to Jouni Forss

‎02-10-2015 05:00 AM

Hi Jouni,

 

Thank you for your swift response.

The object WAN-IP-DOOGLE1 was used, but I later replaced the object with the ip address in the nat statement.

Attached is the packet-tracer you wanted to see, including the result of the questions you posed.

 

Preview file
7 KB
0 Helpful

Go to solution
Bart Olofsen
Level 1
Level 1
In response to Bart Olofsen

‎02-10-2015 05:03 AM

The 8000 port is probably a mix up. I must have performed an earlier packet-tracer with that port. Performing the same packet-tracer with the 9000 ports yields port 9000 in the results.

0 Helpful

Go to solution
Bart Olofsen
Level 1
Level 1
In response to Bart Olofsen

‎02-10-2015 05:06 AM

Another thing I'm missing in the output, the bandwidth limit I impose is not checked.

I checked another 1-on-1 port mapping on another 5510 using 8.6(1)2, I get significantly different order and items in the result of a comparable packet-tracer.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Bart Olofsen

‎02-10-2015 05:33 AM

Hi,

 

Again the output seems correct.

 

Your output does seem to show CONN-SETTINGS and QOS Phases which to my understanding should refer to a configuration you have done regarding bandwidth. I have not used those setting on the ASA myself (we handle them on Routers) so I am not sure what kind of output to expect in a normal situation. I might be able to check this when I am at home with my ASA.

 

In your output we can see that your ASA can ping the TCP port but an external host can not see a SYN ACK reply to the SYN it sent. This would seem to point that the servers default gateway is configured wrong. This would explain that it replies from a directly connected subnet (ASA will use the interface IP address to my understanding if no actual source address is not defined in the "ping tcp" command) but not from an external network.

 

Can you check the server network interface cards configuration or have it checked that its using the ASA interface IP address as the default gateway.

 

- Jouni

Go to solution
Bart Olofsen
Level 1
Level 1
In response to Jouni Forss

‎02-10-2015 06:27 AM

Well, what can I say. Besides the excellent deduction on your part, I am once again baffled by the incompetance of the person managing the server.

And finally, I should really stop making assumptions...

 

Many thanks Jouni!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card