09-17-2014 12:32 PM - edited 03-11-2019 09:46 PM
Hi Experts,
One of my office have Cisco ASA 5510 with ios 8.4(5). Everything is configured and working fine except the static NAT. I have a block of public IP, which I used to configure static NAT. The internal server which is configured with static NAT is not getting internet or anything. When I removed the static NAT, the internet is getting (through WAN interface IP). The server is placed in the DMZ. I have allowed everything to the server but it is not working.
Regards,
EJAZ
Solved! Go to Solution.
09-23-2014 03:30 AM
Hi,
In your case the format for configuring Static NAT for the server would be
object network <object name>
host <server local ip>
nat (DMZ,Outside) static <public ip address> dns
This would bind the local IP address to the public IP address configured on the "nat" command. This would mean that outbound connections would also use this public IP address. If you had a similiar Static PAT configuration already then you would not really need that UNLESS you are changing the mapped/local port in the "nat" command.
But configuring the Static NAT would already mean that it would override the Dynamic PAT for outgoing connections from this server. Naturally there is a small chance depending on your current complete NAT configuration that even this Static NAT might be overridden but I doubt it. If the above "packet-tracer" is for the DMZ server in question then there should be no problem.
- Jouni
09-17-2014 02:21 PM
Would help to see your ASA configuration to identify where the problem is.
Static NAT can be configured as follows:
object network SERVER
host 10.10.10.1
nat (inside,outside) static 11.11.11.1 tcp 80 80
or
object network SERVER
host 10.10.10.1
object network SERVER-NAT
host 11.11.11.1
object service WEB
service tcp destination eq www
nat (inside,outside) source static SERVER SERVER-NAT service WEB WEB
--
Please remember to select a correct answer and rate helpful posts
09-18-2014 12:10 AM
Hi Marius,
Thank you for the reply. Please see attached my conifug file.
Please note that I have three servers which configured with static NAT, that are: 172.16.34.1, 172.16.34.2 and 172.16.34.3
Issue with 172.16.34.2 and 172.16.34.3 (Static NAT is not working for these server)
Regards,
Ejaz
09-18-2014 12:10 AM
Could you please run the following packet tracer and post the output here
packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail
This should give us an indication of what is causing the packet to drop.
--
Please remember to select a correct answer and rate helpful posts
09-18-2014 06:43 AM
Hi Marius,
Please see below the output:
ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail ?
xml Output in xml format
<cr>
ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac0381c0, priority=1, domain=permit, deny=false
hits=16053, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.34.0 255.255.255.0 DMZ
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac69f910, priority=13, domain=permit, deny=false
hits=0, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
hits=873, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf133240, priority=70, domain=inspect-http, deny=false
hits=289, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca29438, priority=50, domain=ids, deny=false
hits=393, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=527, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
nat (DMZ,Outside) static 23.30.88.140 service tcp www www
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=Outside, output_ifc=DMZ
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Regards,
Ejaz
09-18-2014 11:52 PM
Could you please run the packet tracer again, but this time exchange the 172.16.34.2 address with the translated (public) IP.
--
Please remember to select a correct answer and rate helpful posts
09-19-2014 01:08 AM
Hi Marius,
Please see the below output, I have changed the IP with Nated Public IP:
ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 x.x.x.x 80 detail
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
NAT divert to egress interface DMZ
Untranslate x.x.x.x/80 to 172.16.34.2/80
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac69f910, priority=13, domain=permit, deny=false
hits=2, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
hits=7296, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf133240, priority=70, domain=inspect-http, deny=false
hits=358, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca29438, priority=50, domain=ids, deny=false
hits=701, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=2432, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=Outside, output_ifc=DMZ
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
hits=987, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=DMZ
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
hits=812, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
hits=4656, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=Outside
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31936, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
Regards,
Ejaz
09-19-2014 02:18 AM
As per the packet tracer the traffic flow is allowed through the ASA. Have you made sure that the Server is correctly configured? and if that traffic is being switched / routed corrected from the ASA to the server?
--
Please remember to select a correct answer and rate helpful posts
09-22-2014 11:41 PM
Hi Marius,
Thank you for the reply. As of now our devoplment team is working with server and it is not connected to the network. Once it is connected I will let you know the status.
Also can you give advise on the below issue:
In the same firewall configuration like I earlier mentioned, there is no NAT issue with the server 172.16.34.1. Only certain ports are forwarded to the server. I can connect the SIP with NATed public IP to this server and everything working fine for inbound traffic. But when a connection is going from the server (ie outbound) the server is using firewall's WAN interface IP instead of its NAT IP. Why it is going like that? How can we change that?
Regards,
Ejaz
09-22-2014 11:51 PM
Hi,
You say that you have forwarded the required ports to the server so that inbound connections from the external networks can reach the server but that the problem is when the server opens outbound connections to the external networks? It uses a different public IP address?
The main question here is if any other device uses the public IP address that you have used to forward the ports (Static PAT)? If the public IP address used in the Static PAT configurations for the server is only used for that specific server then you should really change the Static PAT to Static NAT which would in turn mean that the server would use that public IP address for ALL outbound connections. At the same time it would also allow connections on any port inbound for the server (What is allowed is naturally determined by your interface ACL but what I mean is that you would not need any additional NAT configurations to allow connections to some port, only the ACL rule)
Hope this helps :)
- Jouni
09-23-2014 03:15 AM
Hi Jouni,
Thank you for the reply.
The NATed IP is only using by the server.
Let me know for any further queries.
Regards,
Ejaz
09-23-2014 12:28 AM
When you say going outbound do you mean internet traffic?
You could run the packet-tracer again to see which NAT it is matching ( my assumtion is that it is matching the dynamic NAT statement you have configured).
packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail
I am thinking that the NAT statement is trying to match on the source port, and since the PC is sending with a random high port number it wont match and will therefore default to the dynamic NAT statement.
Also could you post your configuration again...I do not see it where you posted it earlier.
--
Please remember to select a correct answer and rate helpful posts
09-23-2014 03:03 AM
Hi
Please see below output:
ASA5510# packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.34.0 255.255.255.0 DMZ
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
Also I have attached the configuration file.
Regards,
Ejaz
09-23-2014 03:03 AM
Sorry I was a little fast with my copy/paste. Could you please re-run the packet tracer.
packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail
--
Please remember to select a correct answer and rate helpful posts
09-23-2014 03:30 AM
Hi Marius,
Please see the below output;
ASA5510# packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_ACCESS_IN_ACL in interface DMZ
access-list DMZ_ACCESS_IN_ACL extended permit tcp object UCALLTEL-DMZ-172.16.34.0 any eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac8f43a8, priority=13, domain=permit, deny=false
hits=70, user_data=0xa9861c80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=172.16.34.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=DMZ, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
hits=3138, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf10e9e0, priority=70, domain=inspect-http, deny=false
hits=71, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=DMZ, output_ifc=any
Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaee1b6b8, priority=50, domain=ids, deny=false
hits=779, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network UCALLTEL-DMZ-172.16.34.0
nat (DMZ,Outside) dynamic interface
Additional Information:
Dynamic translate 172.16.34.2/12345 to x.30.x.x/12345
Forward Flow based lookup yields rule:
in id=0xac498108, priority=6, domain=nat, deny=false
hits=43994, user_data=0xac497728, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.34.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=Outside
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
hits=14402, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=Outside
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
hits=17760, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
hits=3397, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=DMZ
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 139995, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Regards,
Ejaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide