NAT Rule not working Static

Adam Coombs · ‎10-13-2014

Hello I have a problem with a nat rule, I have setup a device(Video Conferencing) on the DMZ that needs to talk to the internet.

The nat rule is just a normal setup

nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239

there is only one ACL list for the 192.168.69.125 it is a permit IP any

access-list DMZ line 2 extended permit ip host 192.168.69.125 any log debugging interval 300

I have done a few capture off the firewall

capture video interface dmZ match ip any host 192.168.69.125

I never see the 172.16.69.239 address

capture video interface outside match ip any host 172.16.69.239

I never see the 192.168.69.125 address

Here is capture i was trying

capture video type raw-data interface DMZ [Capturing - 0 bytes]
match ip host 192.168.69.125 host 172.16.69.239

any ideas or commands i can run

Please

Karsten Iwen · ‎10-13-2014

What is the output of the packet-tracer when simulating traffic for that device?

packet-tracer input DMZ udp 192.168.69.125 1234 172.16.69.239 1234

Adam Coombs · ‎10-13-2014

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

After Phase 1 though 9 results are allow

Karsten Iwen · ‎10-13-2014

Please show the actual config of the ASA.

Adam Coombs · ‎10-13-2014

Firewall# packet-tracer input dmZ udp 192.168.69.125 1234 172.16.69.239 $

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.69.224 255.255.255.224 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ in interface DMZ
access-list DMZ extended permit ip host 192.168.69.125 any log debugging
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:
Static translate 192.168.69.125/1234 to 172.16.69.239/1234

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE out interface Outside control-plane
access-list OUTSIDE extended permit ip any4 any4 log debugging
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Karsten Iwen · ‎10-13-2014

In your first post you say that you translate to 172.16.69.125, but in the packet-tracer you translate to .239.

Please specify exactly how you want to translate the traffic and which systems should communicate exactly.

Adam Coombs · ‎10-14-2014

Sorry I correct it

it is .239

I found that I was missing a outside acl line as well I am getting a username and password problem now, instead of server has rejected the connection.

Karsten Iwen · ‎10-14-2014

That means, for the ASA-config everything is fine now?

Adam Coombs · ‎10-14-2014

Still working on this problem but I believe this part is fixed