LiamYou first packer tracer

l1amgatume · ‎08-05-2015

Hi All,

I've been having some issues with NAT'ing. I have tried to read forums and docs but I'm not getting anywhere...

The problem I have is with a NAT for a video conference device.

My device is an ASA 5512:

Cisco Adaptive Security Appliance Software Version 9.4(1)

Device Manager Version 7.4(2)

We have three lines into the office. One for general use (OUTSIDE), one is a backup (ADSL) and one is for guest wifi and telephony (OUTSIDE_Guest). We are currently routing our guest wifi over the ADSL line while we get the VC working.

I’m trying for forward some ports from the external IP XX.XX.74.22 to the internal VC device 10.0.14.15.

I’ve added an object network host for the device, an access-list for the port ranges, an access-group and the static NAT for the device.

I can see from a tcpdump that traffic is getting to my device’s internal IP, but no traffic is getting back out.

I can also see my access list and nat counters incrementing when I telnet in…

I’m not sure I’m doing the packet traces correctly but I’ve attached the packet-tracer commands.

So, traffic is getting to my device but not routing back out.

Any help would be very much appreciated?

Thanks in advance.

Liam

Jon Marshall · ‎08-05-2015

Liam

You first packer tracer output is the correct one and it seems to be okay ie. it allows the packet which matches with your acls incrementing.

Firstly can you check the obvious ie. the internal device has it's default gateway set to 10.0.14.1.

If so can you try running a packet tracer from the inside eg. -

packet-tracer input VC tcp 10.0.14.15 1720 12.12.12.1 12345

and see what you get.

Finally I haven't used PBR on the ASAs so it may be an issue with that.

You may want to move this thread to the Firewalling forum where you are more likely to get an answer.

Jon

l1amgatume · ‎08-05-2015

Hi Jon,

Yes, I've double checked the internal device. It's able to make calls outbound so traffic can leave it normally.

Packet trace appears to be OK.

Will move this to firewalls as per your advice

Thanks,

Liam

packet-tracer input VC tcp 10.0.14.15 1720 12.12.12.1 12345

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map Default_Mapping permit 40
match ip address VC
set ip next-hop xx.xx.74.21
set interface OUTSIDE_Guest
Additional Information:
Matched route-map Default_Mapping, sequence 40, permit
Found next-hop xx.xx.74.21 using egress ifc OUTSIDE_Guest

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VC,OUTSIDE_Guest) source static VideoConfDevice interface
Additional Information:
Static translate 10.0.14.15/1720 to xx.xx.74.22/1720

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (VC,OUTSIDE_Guest) source static VideoConfDevice interface
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1736993, packet dispatched to next module

Result:
input-interface: VC
input-status: up
input-line-status: up
output-interface: OUTSIDE_Guest
output-status: up
output-line-status: up
Action: allow

NAT problems with ASA 5512