10-31-2013 06:51 AM - edited 03-11-2019 07:58 PM
Ok, so I had a scenario last night with NAT. I am going to post two configs, the first one is using static NAT and the second is using auto NAT. I'll just post the relevant portion. Can someone explain to me why the static NAT was not forwarding traffic? Packet-tracer showed the rule being picked and that it was allowed. Configs are otherwise exactly the same except for the static vs. auto nat, packet-tracer has same results for both implementations.
object network obj-10.50.1.2
host 10.50.1.2
object network obj-10.50.1.200
host 10.50.1.200
object service FACTS-SINGLE-PORTS
service tcp destination eq telnet
object service SBS-Ports
service tcp destination eq 3389
object service Service-Port-UDP-20
service udp destination eq 20
object service Service-Port-TCP-20
service tcp destination eq ftp-data
object service Service-Port-UDP-21
service udp destination eq 21
object service Service-Port-TCP-21
service tcp destination eq ftp
object service Service-Port-TCP-23
service tcp destination eq telnet
object service Service-Port-UDP-11000
service udp destination eq 11000
object service Service-Port-TCP-11000
service tcp destination eq 11000
object service Service-Port-tcp-25
service tcp destination eq smtp
object service Service-Port-tcp-47
service tcp destination eq 47
object service Service-Port-udp-47
service udp destination eq 47
object service Service-Port-tcp-80
service tcp destination eq www
object service Service-Port-tcp-110
service tcp destination eq pop3
object service Service-Port-tcp-443
service tcp destination eq https
object service Service-Port-tcp-1723
service tcp destination eq pptp
object service Service-Port-tcp-3389
service tcp destination eq 3389
object service Service-Port-tcp-143
service tcp destination eq imap4
nat (inside,outside) source static obj-10.50.1.200 interface service FACTS-UDP-RANGE FACTS-UDP-RANGE
nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-UDP-20 Service-Port-UDP-20
nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-20 Service-Port-TCP-20
nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-UDP-21 Service-Port-UDP-21
nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-21 Service-Port-TCP-21
nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-UDP-11000 Service-Port-UDP-11000
nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-11000 Service-Port-TCP-11000
nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-110 Service-Port-tcp-110
nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-443 Service-Port-tcp-443
nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-1723 Service-Port-tcp-1723
nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-3389 Service-Port-tcp-3389
nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-143 Service-Port-tcp-143
nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-25 Service-Port-tcp-25
nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-23 Service-Port-TCP-23
nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-80 Service-Port-tcp-80
object network obj_any
nat (inside,outside) dynamic interface
______________________________________________________________________________________________________________________
object network obj_any
nat (inside,outside) dynamic interface
object network 10.50.1.2_443
nat (inside,outside) static interface service tcp https https
object network 10.50.1.2_110
nat (inside,outside) static interface service tcp pop3 pop3
object network 10.50.1.2_1723
nat (inside,outside) static interface service tcp pptp pptp
object network 10.50.1.2_3389
nat (inside,outside) static interface service tcp 3389 3389
object network 10.50.1.2_143
nat (inside,outside) static interface service tcp imap4 imap4
object network 10.50.1.2_25
nat (inside,outside) static interface service tcp smtp smtp
object network 10.50.1.2_80
nat (inside,outside) static interface service tcp www www
object network 10.50.1.200_udp_20
nat (inside,outside) static interface service udp 20 20
object network 10.50.1.200_tcp_20
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network 10.50.1.200_udp_21
nat (inside,outside) static interface service udp 21 21
object network 10.50.1.200_tcp_21
nat (inside,outside) static interface service tcp ftp ftp
object network 10.50.1.200_udp_11000
nat (inside,outside) static interface service udp 11000 11000
object network 10.50.1.200_tcp_11000
nat (inside,outside) static interface service tcp 11000 11000
object network 10.50.1.200_tcp_23
nat (inside,outside) static interface service tcp telnet telnet
10-31-2013 07:05 AM
Hi,
The first portion is Manual NAT / Twice NAT and the second portion is Auto NAT. Both of them are meant to be Static PAT (Port Forward) configurations I assume.
The problem with the first portion configuration is that the "object service" contents are wrong.
Instead of "service tcp destination" it should be "service tcp source" and then it would work.
To see the reason why the first portion of configurations is wrong we have to look at the Manual NAT / Twice NAT structure
nat (sourceinterface,destinationinterface) source static
Or if we only include the parameters you used it would be (since you dont take into account any "destination" parameters)
nat (sourceinterface,destinationinterface) source static
So if you compare the basic structure above to your first portion configuration you will see that you have been configuring "source" parameters for the NAT configuration. So this means you would have to configure "source" parameters with regards to the services/ports also.
So for example
This
object service FACTS-SINGLE-PORTS
service tcp destination eq telnet
Should be this
object service FACTS-SINGLE-PORTS
service tcp source eq telnet
Hope the above made any sense
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed though
- Jouni
10-31-2013 07:38 AM
Hi,
The after section specifies the service as UDP/21 and not TCP/21
EDIT: I guess it was edited to TCP/21 now
EDIT2: Whole reply removed it seems
- Jouni
10-31-2013 08:29 AM
Hi,
Did you manage to get the Manual NAT configurations working? I am just wondering as you removed your last reply?
The configurations I mentioned above should do basically the same thing as the Auto NAT.
If you are switching NAT configurations around I guess you could check that there is no old translations causing problem. Certain software levels also suffer from problem regarding Manual NAT and more specifically there has been bugs related to FTP for example.
Let us know what the situation is.
If the situation was solved with the above suggestion then please do remember to mark a reply as the correct answer.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide