cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
439
Views
0
Helpful
6
Replies

NAT Issue

drbabbers
Level 3
Level 3

All,

I am having an issue whereby all my static NAT rules are failing.

ASDM Logging states:

4 Aug 24 2015 06:42:46 106023 213.x.x.58 59500 Out-TMG_RIPE_NAT 443 Deny tcp src outside:213.205.251.58/59500 dst outside:Out-TMG_RIPE_NAT/443 by access-group "outside_access_in" [0x0, 0x0]

I have run a packet tracer as follows to 213.205.251.58:443:

packet-tracer input outside tcp 213.x.x.58 65500 10.x.x.106 tcp 213.x.x.58 65500 10.x.x.106 443

Packet tracer output is attached.

Any help is much appreciated!

-

D

1 Accepted Solution

Accepted Solutions

Is the real server IP reachable via the inside interface ?

If so this rule -

(inside) to (outside) source static any any   no-proxy-arp route-lookup

is the one that seems to be matching the traffic.

What is that rule meant to be doing ?

Jon
 

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

You should test with packet tracer using the public IP as the destination not the private IP.

Can you run it again and also post a "sh nat" from the ASA.

Jon

Hi Jon,

Here is the packet tracer using the public IP:

packet-tracer input outside tcp 213.x.x.58 65500 212.x.x.243 443

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   212.x.x.224 255.255.255.224 outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Also please find attached 'sh nat'.

-

D

I think the issue is with your NAT configuration.

Firstly if that is your real public IP can you modify ie. 212.x.x.243 as this is a public forum (apologies I should have mentioned that).

Then -

1) "clear nat counters"

run a "sh nat" and you should see all the counters cleared

2) run the packet-tracer command again and post "sh nat" again.

Jon

All done. :)

Please find attached.

Is the real server IP reachable via the inside interface ?

If so this rule -

(inside) to (outside) source static any any   no-proxy-arp route-lookup

is the one that seems to be matching the traffic.

What is that rule meant to be doing ?

Jon
 

Rule 13:

13 (inside) to (outside) source static any any   no-proxy-arp route-lookup
    translate_hits = 22819, untranslate_hits = 4898
 

When I disable this rule the problem is solved! Thank you for all your help.

-

D

 

Review Cisco Networking for a $25 gift card