Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
3
Replies

PAT is not working

napoleon1021
Level 1
Level 1

‎01-05-2015 09:49 PM - edited ‎03-11-2019 10:18 PM

I've configured PAT on my ASA and it's work but I don't know why that suddenly become not working (I remember it's seem become not working after active DMZ). For troubleshooting, I've tried to configure another PAT command and packet-tracer (below command, output and attched JPG), could any one can help me to check what's wrong with my ASA? thank you so much!!!!!!

 

Testing Command:
object network TEST_HTTP
host 192.168.0.34
nat(inside,outside) static interface service tcp http http
access-list ACL_TEST_HTTP permit tcy any host 192.168.0.34 eq www
access-group ACL_TEST_HTTP in interface outside
 

Output of Packet-Tracer

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.1.1.1   255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9eba4d20, priority=0, domain=nat-per-session, deny=false
        hits=13404968, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP  
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9f5374c0, priority=0, domain=permit, deny=true
        hits=169080, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

Labels:
Preview file
113 KB
0 Helpful
3 Replies 3

Rishabh Seth
Level 7
Level 7

‎01-06-2015 12:57 AM

From packet tracer output, ii looks like UN-NAT is not happening,

In case you have any manual NAT for Inside to Outside, try pushing it after object NAT using "after-auto" command in manual NAT statement.

 

Hope it helps.

0 Helpful

napoleon1021
Level 1
Level 1
In response to Rishabh Seth

‎01-06-2015 05:52 PM

Hi risseth,

Thank you so much for your reply, may this beginner ask you a question, how can I do to re-order the manual NAT statement,

Thank you so much!!!! ^_^

 

 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to napoleon1021

‎01-06-2015 08:55 PM

config for after-auto would look like this:

***********************************************************

Without after-auto statement:

nat (inside,outside) source dynamic any interface

================================================

above mentioned nat with after-auto parameter in NAT statement:

nat (inside,outside) after-auto source dynamic any interface

 

hope it helps.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card