NAT order in 8.2

mahesh18 · ‎08-21-2017

hi everyone,

Here is setup traffic is coming from DMZ to inside and ACL is there to allow it.

Source 192.168.134.186

Destination 10.71.30.61

Packet tracer show

packet-tracer input dmz tcp 192.168.134.186 1024 10.71.30.61 636

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.71.30.0 255.255.255.0 inside

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.134.0 255.255.255.0 dmz

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit tcp object-group New_RHEL_Servers host 10.71.30.61 eq ldaps log
object-group network New_RHEL__Servers
network-object host 192.168.134.186
network-object host 192.168.134.189
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,dmz) 192.168.134.152 10.71.30.61 netmask 255.255.255.255
match ip inside host 10.71.30.61 dmz any
static translation to 192.168.134.152
translate_hits = 1, untranslate_hits = 121318
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I tried these static NAT

static (inside,dmz) 10.71.30.61 10.71.30.61 netmask 255.255.255.255

static (inside,dmz)192.168.134.186 192.168.134.186 netmask 255.255.255.255

But still Packet tracer hits below

Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,dmz) 192.168.134.152 10.71.30.61 netmask 255.255.255.255
match ip inside host 10.71.30.61 dmz any
static translation to 192.168.134.152
translate_hits = 1, untranslate_hits = 121318
Additional Information:

When i check the current static nat config i see this

static (inside,dmz) 192.168.134.152 10.71.30.61 netmask 255.255.255.255

Need to know in NAT 8.2 what is order of NAT preference when we have static nat configured?

Why it is not hitting my static NAT below ones

static (inside,dmz) 10.71.30.61 10.71.30.61 netmask 255.255.255.255

static (dmz,inside)192.168.134.186 192.168.134.186 netmask 255.255.255.255

Regards

Mahesh

Francesco Molino · ‎08-21-2017

Hi

Can you share your config please?

For NAT order, take a look at the following Cisco documentation and also a post made on the community:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html#wp1079279

https://supportforums.cisco.com/t5/security-documents/asa-nat-keypoints-8-2-and-below/ta-p/3115982

Thanks

PS: Please don't forget to rate usefull answers

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mahesh18 · ‎08-21-2017

Hi,

Here is NAT config

global (dmz) 1 192.168.134.250

nat (inside) 1 0.0.0.0 0.0.0.0

Rest all the config is static below

static (inside,dmz) 17.0.0.0 17.0.0.0 netmask 255.0.0.0

static (inside,dmz) 10.70.65.0 10.70.65.0 netmask 255.255.255.0

static (inside,dmz) 192.168.134.152 10.71.30.61 netmask 255.255.255.255

Regards

MAhesh

Francesco Molino · ‎08-21-2017

Quite sure there is a misconfiguration. But for that I'll need to know what you want to achieve.

Can you please explain me what's your goal?

Thanks.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question