Problem with nat

hilmarinex · ‎01-25-2013

Hi,

Im having a litle problem. i have a server in dmz2 which i have set up nat for. It works perfectly to surf too a website thats running on the server in question from the inside network. However when i try it from the outside, no luck.

It seems to me that another nat rule is denying connection from the outside to the inside. Or this is what i read from packet tracer.

Any ideas on how to fix this?

Result of the command: "packet-tracer input WAN1 tcp 8.8.8.8 443 10.42.2.70 443 xml"

<Phase>
<id>1</id>
<type>ACCESS-LIST</type>
<subtype></subtype>
<result>ALLOW</result>
<config>
Implicit Rule
</config>
<extra>
MAC Access list
</extra>
</Phase>

<Phase>
<id>2</id>
<type>ROUTE-LOOKUP</type>
<subtype>input</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
in 10.42.2.0 255.255.255.0 DMZ2
</extra>
</Phase>

<Phase>
<id>3</id>
<type>ACCESS-LIST</type>
<subtype>log</subtype>
<result>ALLOW</result>
<config>
access-group WAN1 in interface WAN1
access-list WAN1 extended permit tcp any object start-ap-2.inexchange.com:8443 object-group DM_INLINE_TCP_4
object-group service DM_INLINE_TCP_4 tcp
port-object eq 8443
port-object eq https
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>4</id>
<type>CONN-SETTINGS</type>
<subtype></subtype>
<result>ALLOW</result>
<config>
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>5</id>
<type>IP-OPTIONS</type>
<subtype></subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>6</id>
<type>VPN</type>
<subtype>ipsec-tunnel-flow</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>7</id>
<type>NAT</type>
<subtype>rpf-check</subtype>
<result>DROP</result>
<config>
object network NAT_DMZ2_to_WAN1
nat (DMZ2,WAN1) dynamic interface
</config>
<extra>
</extra>
</Phase>

<result>
<input-interface>WAN1</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>DMZ2</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>

Jouni Forss · ‎01-25-2013

Hi,

Can you share the NAT configuration (partially remove the public IP address if you want)

Also you should use the "packet-tracer" command with the actual NAT IP as the destination IP address.

Can you take the output of "packet-tracer" with the correct IP address (without the "xml" parameter) and copy/paste it here.

- Jouni

Michal Garcarz · ‎01-25-2013

That's because you use dynamic nat:

object network NAT_DMZ2_to_WAN1

nat (DMZ2,WAN1) dynamic interface

You should use static if you wish to share that server on WAN1 interface.

---

Michal

Karsten Iwen · ‎01-25-2013

When pasting packet-tracer-output, pleas don't use the option "xml" ...

It seems that the order of your nat-rule is wrong. Please paste the output of "show run nat".

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni