cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
5
Helpful
19
Replies

NAT Issue

Ejaz Ahmed
Level 1
Level 1

Hi Experts,

 

One of my office have Cisco ASA 5510 with ios 8.4(5). Everything is configured and working fine except the static NAT. I have a block of public IP, which I used to configure static NAT.  The internal server which is configured with static NAT is not getting internet or anything. When I removed the static NAT, the internet is getting (through WAN interface IP). The server is placed in the DMZ. I have allowed everything to the server but it is not working.

 

Regards,

EJAZ

1 Accepted Solution

Accepted Solutions

Hi,

 

In your case the format for configuring Static NAT for the server would be

 

object network <object name>
 host <server local ip>
 nat (DMZ,Outside) static <public ip address> dns

 

This would bind the local IP address to the public IP address configured on the "nat" command. This would mean that outbound connections would also use this public IP address. If you had a similiar Static PAT configuration already then you would not really need that UNLESS you are changing the mapped/local port in the "nat" command.

 

But configuring the Static NAT would already mean that it would override the Dynamic PAT for outgoing connections from this server. Naturally there is a small chance depending on your current complete NAT configuration that even this Static NAT might be overridden but I doubt it. If the above "packet-tracer" is for the DMZ server in question then there should be no problem.

 

- Jouni

View solution in original post

19 Replies 19

Would help to see your ASA configuration to identify where the problem is. 

Static NAT can be configured as follows:

object network SERVER
  host 10.10.10.1
  nat (inside,outside) static 11.11.11.1 tcp 80 80

or

object network SERVER
  host 10.10.10.1

object network SERVER-NAT
  host 11.11.11.1

object service WEB
 service tcp destination eq www

nat (inside,outside) source static SERVER SERVER-NAT service WEB WEB

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thank you for the reply. Please see attached my conifug file.

Please note that I have three servers which configured with static NAT, that are: 172.16.34.1, 172.16.34.2 and 172.16.34.3

Issue with 172.16.34.2 and 172.16.34.3 (Static NAT is not working for these server)

 

Regards,

Ejaz

Could you please run the following packet tracer and post the output here

packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail

This should give us an indication of what is causing the packet to drop.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

 

Please see below the output:

ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail ?

  xml  Output in xml format
  <cr>
ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac0381c0, priority=1, domain=permit, deny=false
        hits=16053, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.34.0     255.255.255.0   DMZ

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac69f910, priority=13, domain=permit, deny=false
        hits=0, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=873, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=289, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaca29438, priority=50, domain=ids, deny=false
        hits=393, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=527, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
 nat (DMZ,Outside) static 23.30.88.140 service tcp www www
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Regards,

Ejaz

Could you please run the packet tracer again, but this time exchange the 172.16.34.2 address with the translated (public) IP.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Please see the below output, I have changed the IP with Nated Public IP:

 

ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 x.x.x.x 80 detail

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
 nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
NAT divert to egress interface DMZ
Untranslate x.x.x.x/80 to 172.16.34.2/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac69f910, priority=13, domain=permit, deny=false
        hits=2, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=7296, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=358, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaca29438, priority=50, domain=ids, deny=false
        hits=701, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=2432, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
 nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=987, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=812, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=4656, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31936, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

 

Regards,

Ejaz

As per the packet tracer the traffic flow is allowed through the ASA.  Have you made sure that the Server is correctly configured? and if that traffic is being switched / routed corrected from the ASA to the server?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

 

Thank you for the reply. As of now our devoplment team is working with server and it is not connected to the network. Once it is connected I will let you know the status.

 

Also can you give advise on the below issue:

In the same firewall configuration like I earlier mentioned, there is no NAT issue with the server 172.16.34.1. Only certain ports are forwarded to the server. I can connect the SIP with NATed public IP to this server and everything working fine for inbound traffic. But when a connection is going from the server (ie outbound) the server is using firewall's WAN interface IP instead of its NAT IP. Why it is going like that? How can we change that?

 

Regards,

Ejaz

Hi,

 

You say that you have forwarded the required ports to the server so that inbound connections from the external networks can reach the server but that the problem is when the server opens outbound connections to the external networks? It uses a different public IP address?

 

The main question here is if any other device uses the public IP address that you have used to forward the ports (Static PAT)? If the public IP address used in the Static PAT configurations for the server is only used for that specific server then you should really change the Static PAT to Static NAT which would in turn mean that the server would use that public IP address for ALL outbound connections. At the same time it would also allow connections on any port inbound for the server (What is allowed is naturally determined by your interface ACL but what I mean is that you would not need any additional NAT configurations to allow connections to some port, only the ACL rule)

 

Hope this helps :)

 

- Jouni

Hi Jouni,

Thank you for the reply.

 

The NATed IP is only using by the server.

Let me know for any further queries.

 

Regards,

Ejaz

When you say going outbound do you mean internet traffic?

You could run the packet-tracer again to see which NAT it is matching ( my assumtion is that it is matching the dynamic NAT statement you have configured).

packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail

I am thinking that the NAT statement is trying to match on the source port, and since the PC is sending with a random high port number it wont match and will therefore default to the dynamic NAT statement.

Also could you post your configuration again...I do not see it where you posted it earlier.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi

 

Please see below output:

 

ASA5510# packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.34.0     255.255.255.0   DMZ

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

Also I have attached the configuration file.

 

Regards,

Ejaz

 

Sorry I was a little fast with my copy/paste. Could you please re-run the packet tracer.

packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

 

Please see the below output;

ASA5510# packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_ACCESS_IN_ACL in interface DMZ
access-list DMZ_ACCESS_IN_ACL extended permit tcp object UCALLTEL-DMZ-172.16.34.0 any eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac8f43a8, priority=13, domain=permit, deny=false
        hits=70, user_data=0xa9861c80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=172.16.34.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=3138, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf10e9e0, priority=70, domain=inspect-http, deny=false
        hits=71, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaee1b6b8, priority=50, domain=ids, deny=false
        hits=779, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network UCALLTEL-DMZ-172.16.34.0
 nat (DMZ,Outside) dynamic interface
Additional Information:
Dynamic translate 172.16.34.2/12345 to x.30.x.x/12345
 Forward Flow based lookup yields rule:
 in  id=0xac498108, priority=6, domain=nat, deny=false
        hits=43994, user_data=0xac497728, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.16.34.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=14402, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=17760, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=3397, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 139995, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

 

Regards,

Ejaz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: