08-11-2014 02:24 AM - edited 03-11-2019 09:36 PM
Hi..
I have a ASA 5525 ver 9.1(2). I have a inside interface 10.110.10.0/24 and outside network 115.112.94.0/27. I have natted a inside server with ip 115.112.94.10 and when trying to reach this public ip from inside machine, i can not reach this public ip.
I have disabled anti spoofing and enabled same security permit traffic inter and intra interface, also had open ACL but still dont work.
Pls help what could be issue.
08-11-2014 02:43 AM
Hi ,
Could you please share me your ASA config ?? or NAT config
HTH
Sandy
08-11-2014 05:24 AM
NAT config..
object network obj-10.110.10.112
nat (inside,outside) static 115.112.94.10
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 115.112.94.2 255.255.255.224 manual
GigabitEthernet0/1 inside 10.110.10.1 255.255.255.0 CONFIG
This ip(115.112.94.10) is reachable from public network. But not from behind firewall.
08-11-2014 05:46 AM
Hi Anukalp
add a (inside,inside) to make this work
you are trying to do a U-turn here,
TRY ADDING THE FOLLOWING:
object network obj-10.110.10.112
nat (inside,inside) static 115.112.94.10
Cheers
Naveen
08-11-2014 06:13 AM
Hi.
Should i add above nat statement along with which i shared above, also let me know if it does not cause any other issue because this is server and it is in production.
Also let me know if any ports are also required to allow. I already had allowed all required ports from outside.
08-11-2014 06:22 AM
Hi
Add below command this will not cause any issue for traffic , this configuration ensures NATing for inside to inside Access .
object network Public_Server
host 115.112.94.10
nat (inside,inside) source dynamic any interface destination static Public_Server obj-10.110.10.112
same-security-traffic permit intra-interface
HTH
Sandy
08-11-2014 07:00 AM
Thanks Santosh, i have a guest network on firewall too and guest network can connect to this server through public ip only so any other nat rule do i need to place for this also.
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 115.112.94.2 255.255.255.224 manual
GigabitEthernet0/1 inside 10.110.10.1 255.255.255.0 CONFIG
GigabitEthernet0/2 guest 192.168.1.1 255.255.255.0 CONFIG
08-11-2014 07:58 AM
Hi ,
This NAT is applicable , when you are connecting from inside segment 10.110.10.0/24 . Not for Guest segment .
For Guest Segment server must be accessible with public IP address .
HTH
Sandy
08-11-2014 08:14 AM
Hi Sandy.. i need to get this access from guest network, this guest network is like inside network but it has no connectivity to inside(denied by ACL), aslo users connecting on guest network gets ip of same pool configured on firewall guest interface. guest network is allowed only for internet traffic and natted with one of firewall outside interface ip pool. It can only communicate with server public ip.
Is it not possible to reach public ip of server from guest network.
08-11-2014 09:39 AM
Someone tell me if this poosible to access natted server ip from guest network.
Pls help.
08-11-2014 09:44 AM
It should be work from Guest Network . You should able to access it via Public IP address without any issue.
HTH
Sandy
08-12-2014 06:10 AM
Hi Sandy.. It is not working, guest netowork is also dynamic pat with a ip of outside network pool and this inside server is too static nat with a ip of outside network pool. Where is it getting blocked. Should there be no commnication in this scenario.
08-12-2014 06:18 AM
Hi ,
Can you share me packet tracer output running from your DMZ interface towards Public IP address .
Else open a webex session to trouble fix on this .
HTH
Sandy
08-12-2014 07:30 AM
hi...
pls see below logs
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff33eab610, priority=1, domain=permit, deny=false
hits=222687464, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=wireless, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 115.114.94.0 255.255.255.224 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WIFI in interface wireless
access-list WIFI extended permit ip 192.168.1.0 255.255.255.0 any Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff349c2950, priority=13, domain=permit, deny=false
hits=4244997, user_data=0x7fff2c4810c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.200.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=wireless, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-192.168.1.0
nat (wireless,outside) dynamic 115.114.94.14 Additional Information:
Dynamic translate 192.168.1.144/0 to 115.114.94.14/65296 Forward Flow based lookup yields rule:
in id=0x7fff34e13cf0, priority=6, domain=nat, deny=false
hits=625308, user_data=0x7fff35a33c30, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.1.218, mask=255.255.255.192, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=wireless, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff32fc1830, priority=0, domain=nat-per-session, deny=true
hits=73239394, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff34b458d0, priority=0, domain=inspect-ip-options, deny=true
hits=4297048, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=wireless, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff352fad60, priority=70, domain=inspect-icmp, deny=false
hits=10146, user_data=0x7fff35771490, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=wireless, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff34b45200, priority=66, domain=inspect-icmp-error, deny=false
hits=19798, user_data=0x7fff33b9ea50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=wireless, output_ifc=any
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff36dd2f10, priority=18, domain=flow-export, deny=false
hits=1475363, user_data=0x7fff3553ca30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=wireless, output_ifc=any
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3775d290, priority=0, domain=user-statistics, deny=false
hits=56046448, user_data=0x7fff34f8ffa0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff32fc1830, priority=0, domain=nat-per-session, deny=true
hits=73239396, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff34af96a0, priority=0, domain=inspect-ip-options, deny=true
hits=128152752, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff3775d650, priority=0, domain=user-statistics, deny=false
hits=884040, user_data=0x7fff34f8ffa0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=wireless
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143923582, packet dispatched to next module Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: wireless
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
08-11-2014 07:41 AM
How can we connect outside address from inside ...those r for outsiders only right ...insiders have inside address only to use.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide