Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
2
Replies

Nat Statement suddenly not works

mm6646
Level 1
Level 1

‎01-11-2015 01:55 PM - edited ‎03-11-2019 10:19 PM

Firewall:  ASA 5550 VPN Premium license Version 9.1(5)16

Incident as below:

 

 

Nat statement as below

===================

name 9.x.x.x NAT-E23ESMTP01

 

 nat (SMTP-YELLOW,inside) static 9.x.x.x
object network obj-202.x.x.x

object network NAT-E23ESMTP01
 host 9.x.x.x

object-group network NAT-AU-SMTP-Svrs_8
 network-object object NAT-E23ESMTP01
 

Above configuration suddenly stop works

 

i have added below host under object group then its again working

object-group network NAT-AU-SMTP-Svrs_8
 network-object object NAT-E23ESMTP01

network-object host 202.x.x.x

 

i am also not understanding why suddenly stop working and works after add host which is natted by 202.x.x.x

 

Please advice

 


 

 

 

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2015 03:45 AM

Hi,

 

Can you check the NAT configuration again and paste it here. Seems to me that there is something missing from your above output or it seems confusing to me.

 

For example, you first mention the actual "nat" command

 

nat (SMTP-YELLOW,inside) static 9.x.x.x

 

But I am not sure under which "network object" command this is configured? And what is the actual "host" address under the "object"? The info might be in your above post but I want to make sure.

 

Also you mention an "object-group" configuration? This should have nothing to do with the above "nat" command as its a Auto NAT / Network Object NAT and "object-group" are not used as a parameter of those configurations.


Perhaps the "object-group" is related to an ACL? So the problem might actually be some ACL that is using the "object-group" that you mention.

 

Can you also provide a "packet-tracer" command output of the traffic that does not work or stops working? The format is

 

packet-tracer input <source interface> tcp <source ip> 12345 <destination ip> <destination port>

 

- Jouni

 

0 Helpful

mm6646
Level 1
Level 1
In response to Jouni Forss

‎01-14-2015 05:57 AM

Hi Jouni,

Before add host

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group inside-IN-20130424 in interface inside
access-list inside-IN-20130424 extended deny tcp any4 any4 eq smtp

 

 

The packet tracer show traffic deny by any any rule for stop working connection as above

 

below is Phase 3 of packet tracer after add below host under AU-MAIL-RELAY-SRV-NAT_8

network-object host 202.x.x.x

 

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-IN-20130424 in interface inside
access-list inside-IN-20130424 extended permit tcp object-group SMTP-DLP-AU object-group AU-MAIL-RELAY-SRV-NAT_8 eq smtp 
object-group network SMTP-DLP-AU
 description: SMTP DLP Sensor AU 
 network-object host 9.x.x.x
object-group network AU-MAIL-RELAY-SRV-NAT_8
network-object object NAT-E23ESMTP01      >> user said was working before with this 
                                             Line, Before add below Host
 network-object host 202.x.x.x

 

I have just add natted ip of NAT-E23ESMTP01(9.x.x.x)

 

 

 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-202.x.x.x
 nat (SMTP-YELLOW,inside) static 9.110.x.x 
Additional Information:
NAT divert to egress interface SMTP-YELLOW
Untranslate 9.110.x.x/25 to 202.x.x.x/25


 
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-202.x.x.x
 nat (SMTP-YELLOW,inside) static 9.x.x.x
Additional Information:
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card