Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1312
Views
0
Helpful
8
Replies

NAT Rule not working Static

Adam Coombs
Level 3
Level 3

‎10-13-2014 07:44 AM - edited ‎03-11-2019 09:55 PM

Hello I have a problem with a nat rule, I have setup a device(Video Conferencing) on the DMZ that needs to talk to the internet.

The nat rule is just a normal setup

 nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239

there is only one ACL list for the 192.168.69.125 it is a permit IP any 

access-list DMZ line 2 extended permit ip host 192.168.69.125 any log debugging interval 300

I have done a few capture off the firewall 

capture video interface dmZ match ip any host 192.168.69.125

I never see the 172.16.69.239 address

capture video interface outside match ip any host 172.16.69.239

I never see the 192.168.69.125 address 

Here is capture i was trying 

capture video type raw-data interface DMZ [Capturing - 0 bytes]
  match ip host 192.168.69.125 host 172.16.69.239

any ideas or commands i can run 

Please 

 

Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎10-13-2014 09:22 AM

What is the output of the packet-tracer when simulating traffic for that device?

packet-tracer input DMZ udp 192.168.69.125 1234 172.16.69.239 1234

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Adam Coombs
Level 3
Level 3
In response to Karsten Iwen

‎10-13-2014 11:22 AM

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

 

After Phase 1 though 9 results are allow 

0 Helpful

Karsten Iwen
VIP
VIP
In response to Adam Coombs

‎10-13-2014 12:18 PM

Please show the actual config of the ASA.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Adam Coombs
Level 3
Level 3
In response to Karsten Iwen

‎10-13-2014 12:55 PM

Firewall# packet-tracer input dmZ udp 192.168.69.125 1234 172.16.69.239 $

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.69.224  255.255.255.224 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ in interface DMZ
access-list DMZ extended permit ip host 192.168.69.125 any log debugging
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:
Static translate 192.168.69.125/1234 to 172.16.69.239/1234

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE out interface Outside control-plane
access-list OUTSIDE extended permit ip any4 any4 log debugging
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

0 Helpful

Karsten Iwen
VIP
VIP
In response to Adam Coombs

‎10-13-2014 01:43 PM

In your first post you say that you translate to 172.16.69.125, but in the packet-tracer you translate to .239.

Please specify exactly how you want to translate the traffic and which systems should communicate exactly.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Adam Coombs
Level 3
Level 3
In response to Karsten Iwen

‎10-14-2014 05:51 AM

Sorry I correct it 

it is .239

I found that I was missing a outside acl line as well I am getting a username and password problem now, instead of server has rejected the connection.

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to Adam Coombs

‎10-14-2014 06:38 AM

That means, for the ASA-config everything is fine now?

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Adam Coombs
Level 3
Level 3
In response to Karsten Iwen

‎10-14-2014 06:43 AM

Still working on this problem but I believe this part is fixed

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card