cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2150
Views
0
Helpful
16
Replies

Problem with NAT with video call on ASA5510

kpoon
Beginner
Beginner

Hello all,

We have a video system at 10.4.86.199 trying to call another system at 172.30.1.102.


The System at 10.4.86.199 receive the video image and sound, but at 172.30.1.102 doesn't after the call is established.

10.4.86.199 actaully contacts 10.40.86.102 which NAT to 172.30.1.102, it cannot contact 172.30.1.102 directly. It is done by design.

I've tried to packettrace and it points to problem with NAT but I can't pinpoint it. Any help would be appreciated.

please see attached config.

Thank you in advance.

16 Replies 16

Hi,

If I understand correctly 10.4.86.199 should reach 10.40.86.102 to be able to get the service from 172.30.1.102

172.30.1.102 NATs to 10.40.86.102

In order to allow 10.4.86.199 to reach 10.40.86.102 you need a static NAT (which you have):
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.

and also ACL:

access-list Endo-40_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list Endo-40_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

Should be permitting this traffic (all ports required to make this work).

Normally if Packet-Tracer reports a problem (a NAT problem in this case), should show you which NAT rule is causing
the conflict.
Can you include that information?

Federico.

Hi Ferderico,

here's the result:

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 172.30.1.102 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.30.1.0      255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Entrust-40_access_in in interface E-40
access-list Entrust-40_access_in extended permit ip any any
Additional Information:
             
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SSM_SERVICE
Subtype:     
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-out-acl out interface inside
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object 10.4.86.0 255.255.255.0
network-object 10.40.86.0 255.255.255.0
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.255
nat-control
  match ip inside host 172.30.1.102 E-40 any
    static translation to 10.40.86.102
    translate_hits = 15, untranslate_hits = 36
Additional Information:

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The test is incorrect.

You're attempting to reach 172.30.1.102 on port 80 from 10.4.86.199

From 10.4.86.199 you should reach 10.40.86.102 (and the ASA will statically NAT it to 172.30.1.102

Do the following test:

packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80

Federico.