Solved: NAT Issue

drbabbers · ‎08-24-2015

All,

I am having an issue whereby all my static NAT rules are failing.

ASDM Logging states:

4 Aug 24 2015 06:42:46 106023 213.x.x.58 59500 Out-TMG_RIPE_NAT 443 Deny tcp src outside:213.205.251.58/59500 dst outside:Out-TMG_RIPE_NAT/443 by access-group "outside_access_in" [0x0, 0x0]

I have run a packet tracer as follows to 213.205.251.58:443:

packet-tracer input outside tcp 213.x.x.58 65500 10.x.x.106 tcp 213.x.x.58 65500 10.x.x.106 443

Packet tracer output is attached.

Any help is much appreciated!

-

D

Jon Marshall · ‎08-24-2015

Is the real server IP reachable via the inside interface ?

If so this rule -

(inside) to (outside) source static any any no-proxy-arp route-lookup

is the one that seems to be matching the traffic.

What is that rule meant to be doing ?

Jon

View solution in original post

Jon Marshall · ‎08-24-2015

You should test with packet tracer using the public IP as the destination not the private IP.

Can you run it again and also post a "sh nat" from the ASA.

Jon

drbabbers · ‎08-24-2015

Hi Jon,

Here is the packet tracer using the public IP:

packet-tracer input outside tcp 213.x.x.58 65500 212.x.x.243 443

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 212.x.x.224 255.255.255.224 outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Also please find attached 'sh nat'.

-

D

Jon Marshall · ‎08-24-2015

I think the issue is with your NAT configuration.

Firstly if that is your real public IP can you modify ie. 212.x.x.243 as this is a public forum (apologies I should have mentioned that).

Then -

1) "clear nat counters"

run a "sh nat" and you should see all the counters cleared

2) run the packet-tracer command again and post "sh nat" again.

Jon

drbabbers · ‎08-24-2015

All done. :)

Please find attached.

Jon Marshall · ‎08-24-2015

Is the real server IP reachable via the inside interface ?

If so this rule -

(inside) to (outside) source static any any no-proxy-arp route-lookup

is the one that seems to be matching the traffic.

What is that rule meant to be doing ?

Jon

drbabbers · ‎08-24-2015

Rule 13:

13 (inside) to (outside) source static any any no-proxy-arp route-lookup
translate_hits = 22819, untranslate_hits = 4898

When I disable this rule the problem is solved! Thank you for all your help.

-

D