10-13-2014 07:44 AM - edited 03-11-2019 09:55 PM
Hello I have a problem with a nat rule, I have setup a device(Video Conferencing) on the DMZ that needs to talk to the internet.
The nat rule is just a normal setup
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
there is only one ACL list for the 192.168.69.125 it is a permit IP any
access-list DMZ line 2 extended permit ip host 192.168.69.125 any log debugging interval 300
I have done a few capture off the firewall
capture video interface dmZ match ip any host 192.168.69.125
I never see the 172.16.69.239 address
capture video interface outside match ip any host 172.16.69.239
I never see the 192.168.69.125 address
Here is capture i was trying
capture video type raw-data interface DMZ [Capturing - 0 bytes]
match ip host 192.168.69.125 host 172.16.69.239
any ideas or commands i can run
Please
10-13-2014 09:22 AM
What is the output of the packet-tracer when simulating traffic for that device?
packet-tracer input DMZ udp 192.168.69.125 1234 172.16.69.239 1234
10-13-2014 11:22 AM
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
After Phase 1 though 9 results are allow
10-13-2014 12:18 PM
Please show the actual config of the ASA.
10-13-2014 12:55 PM
Firewall# packet-tracer input dmZ udp 192.168.69.125 1234 172.16.69.239 $
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.69.224 255.255.255.224 Outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ in interface DMZ
access-list DMZ extended permit ip host 192.168.69.125 any log debugging
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:
Static translate 192.168.69.125/1234 to 172.16.69.239/1234
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE out interface Outside control-plane
access-list OUTSIDE extended permit ip any4 any4 log debugging
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
10-13-2014 01:43 PM
In your first post you say that you translate to 172.16.69.125, but in the packet-tracer you translate to .239.
Please specify exactly how you want to translate the traffic and which systems should communicate exactly.
10-14-2014 05:51 AM
Sorry I correct it
it is .239
I found that I was missing a outside acl line as well I am getting a username and password problem now, instead of server has rejected the connection.
10-14-2014 06:38 AM
That means, for the ASA-config everything is fine now?
10-14-2014 06:43 AM
Still working on this problem but I believe this part is fixed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide