Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
2
Replies

Nat issue

Go to solution
CiscoNutt
Level 1
Level 1

‎06-29-2012 07:26 AM - edited ‎03-11-2019 04:24 PM

Hi,

I am having a NAT issue an I am not sure what is going on.  I have tried configuring nat exempt but that didn't solve the issue.

ASA 5520

version 8.2

My client has the inside network on interface gig0/1.100 and the guest network on gig0/2.200.  The whole 10.77.1.0/24 network needs to be able to reach the server with IP 10.47.47.80 using HTTP.  The access list is in place ont the guest interface to allow traffic to the server.  The problem is that when I do a packet trace to see the traffic flow, it is dropped on a NAT rpf-check.

NAT control is disabled.

fw-001# packet-tracer input languest tcp 10.77.1.2 4444 10.47.47.80 www detail

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.47.32.0      255.255.224.0   inside

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.77.1.0       255.255.255.0   languest

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group languest in interface languest
access-list languest extended permit tcp 10.77.0.0 255.255.0.0 host 10.47.47.80 eq www
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcf9a8d68, priority=12, domain=permit, deny=false
        hits=24, user_data=0xca3a2880, cs_id=0x0, flags=0x0, protocol=6
        src ip=10.77.0.0, mask=255.255.0.0, port=0
        dst ip=10.47.47.80, mask=255.255.255.255, port=80, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcccf80d0, priority=0, domain=inspect-ip-options, deny=true
        hits=20976, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc9d9560, priority=21, domain=lu, deny=true
        hits=29, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (languest,telenorguest) 10.77.1.0 10.77.1.0 netmask 255.255.255.0
  match ip languest 10.77.1.0 255.255.255.0 telenorguest any
    static translation to 10.77.1.0
    translate_hits = 3682, untranslate_hits = 6954
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xccd78a00, priority=5, domain=host, deny=false
        hits=16886022, user_data=0xccd783c0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.77.1.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any languest any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xccd6e600, priority=1, domain=nat-reverse, deny=false
        hits=25, user_data=0xccd6e390, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: languest
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas why this is happening?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
alejands
Level 1
Level 1

‎06-29-2012 07:52 AM

Hello,

Is the server on the telenorguest interface?

And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.

Try with this static:

static (telenorguest,languest) 10.47.47.80 10.47.47.80

Let me know if this works for you

View solution in original post

0 Helpful
2 Replies 2

Go to solution
alejands
Level 1
Level 1

‎06-29-2012 07:52 AM

Hello,

Is the server on the telenorguest interface?

And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.

Try with this static:

static (telenorguest,languest) 10.47.47.80 10.47.47.80

Let me know if this works for you

0 Helpful

Go to solution
CiscoNutt
Level 1
Level 1
In response to alejands

‎06-29-2012 08:01 AM

Ugh!!! so simple.  I should have thought of that.  thanks :-)

if it wasn't obvious, it worked.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card