Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
1
Replies

Regarding ASA

akash.deep
Level 1
Level 1

‎12-02-2015 11:52 PM - edited ‎02-21-2020 05:37 AM

I am having a issue to undertand the NATTING in ASA, below is the issue which i am having as of now.

getting drop:- can you please go through it and let me know what can be the issue

packet-tracer input outside tcp 166.77.235.144 2020 166.77.174.123 123

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 166.77.35.2 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl-outside in interface outside
access-list acl-outside extended permit ip host 166.77.235.144 host 166.77.174.123
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map RT881625
 match access-list rt881625-conns-acl
policy-map RT881625-conns
 class RT881625
  set connection conn-max 0 embryonic-conn-max 0 random-sequence-number enable
service-policy RT881625-conns interface inside
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network natobj-166.77.0.0-16
 nat (inside,outside) dynamic pat-pool natobj-default-natpool
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

====================

nat (inside,outside) source dynamic natobj-via-axciom natobj-axciom-natpool destination static natobj-axiom-nets natobj-axiom-nets
nat (dmz-dot12,outside) source static natobj-src-166.77.12.0-22 natobj-src-166.77.12.0-22 destination static natobj-dst-a2m natobj-dst-a2m
nat (dmz-dot12,outside) source dynamic natobj-src-166.77.12.0-22 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting
nat (dmz-dot9,outside) source dynamic natobj-src-166.77.9.0-24 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting
nat (outside,outside) source dynamic natobj-vpn-pool-uturn pat-pool natobj-default-natpool destination static natobj-dst-nets-uturn natobj-dst-nets-uturn
nat (outside,outside) source static servicenow-natobj-src-nets-uturn servicenow-natobj-src-nets-uturn destination static servicenow-natobj-dst-nets-uturn servicenow-natobj-dst-nets-uturn
nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static wordpress-129.228.35.64 wordpress-129.228.35.64
nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.0.0 129.228.0.0
nat (inside,outside) source static any any destination static redspace-172.18.0.80 redspace-172.18.0.80
nat (inside,outside) source dynamic natobj-src-oneoffs pat-pool natobj-global-oneoffs
nat (inside,outside) source dynamic any pat-pool natobj-global-oneoffs destination static natobj-dst-oneoffs natobj-dst-oneoffs
nat (outside,outside) source static VPN_Hairpin VPN_Hairpin destination static VPN_Hairpin VPN_Hairpin
nat (inside,outside) source static natobj-src-tacacs natobj-src-tacacs destination static natobj-dst-tacas-devices natobj-dst-tacas-devices
nat (inside,outside) source static singapore-dr-us singapore-dr-us destination static singapore-dr-asia singapore-dr-asia
nat (dmz-dot12,outside) source static natobj-src-a2m natobj-src-a2m destination static natobj-dst-a2m natobj-dst-a2m route-lookup
nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan-new natobj-dst-vpn-lan-to-lan-new
nat (dmz-dot8,outside) source static natobj-src-larsentoubro-local natobj-src-larsentoubro-local destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote
nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan natobj-dst-vpn-lan-to-lan
nat (inside,outside) source static natobj-src-network-tools natobj-src-network-tools destination static natobj-dst-network-devices natobj-dst-network-devices
nat (inside,outside) source static pp-cl1-10-6-0-0 pp-cl1-10-6-0-0 destination static pp-bet-172-20-20-0 pp-bet-172-20-20-0
nat (inside,dmz-paramount) source static obj-1515-52fl-printers obj-1515-52fl-printers destination static obj-ppc-192-168-148-0 obj-ppc-192-168-148-0
nat (inside,outside) source static obj-10-0-0-0-24 obj-10-0-0-0-24 destination static obj-no-nat-bet obj-no-nat-bet
nat (inside,dmz-paramount) source static obj-no-nat-to-ppc obj-no-nat-to-ppc destination static obj-ppc-no-nat obj-ppc-no-nat
nat (inside,outside) source static natobj-172.16.0.0-12 166.77.6.4 destination static SterlingASA SterlingASA
nat (inside,dmz-paramount) source dynamic any interface
nat (inside,outside) source static natobj-166.77.0.0-16 166.77.6.4 destination static SterlingASA SterlingASA
nat (inside,outside) source static xbox-166.77.216.203 xbox-166.77.216.203
nat (inside,outside) source static xbox-216-184 xbox-public-6-218
nat (inside,outside) source dynamic any pat-pool nielsen-vpn-local destination static nielsen-vpn-remote nielsen-vpn-remote
nat (inside,dmz-paramount) source static natobj-src-viacom-no-nat natobj-src-viacom-no-nat destination static natobj-dst-paramount-no-nat natobj-dst-paramount-no-nat
nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.235 69.195.244.235
nat (inside,outside) source static 166.77.200.57 166.77.200.57 destination static 69.195.244.235 69.195.244.235
nat (inside,dmz-dot5) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks
nat (inside,dmz-dot7) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks
nat (inside,dmz-dot9) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks
nat (inside,dmz-dot11) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks
nat (inside,dmz-dot12) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks
nat (inside,outside) source static 166.77.186.224 166.77.186.224 destination static 69.195.244.238 69.195.244.238
nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.238 69.195.244.238
nat (inside,outside) source static 166.77.199.147 166.77.199.147 destination static 172.20.90.0 172.20.90.0
nat (inside,outside) source static 166.77.199.223 166.77.199.223 destination static 172.20.90.0 172.20.90.0
nat (inside,outside) source static NATPOOL-166.77.35.128 NATPOOL-166.77.35.128 destination static 69.195.244.235 69.195.244.235
nat (dmz-lb-dmz,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote
nat (inside,outside) source static 10.40.122.20 10.40.122.20 destination static SterlingDECRU SterlingDECRU
nat (inside,outside) source static 10.40.122.21 10.40.122.21 destination static SterlingDECRU SterlingDECRU
nat (inside,outside) source dynamic any pat-pool natobj-global-bluejeans destination static GLB-bluejeans-nets GLB-bluejeans-nets
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.18.251.0_24 NETWORK_OBJ_172.18.251.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-aws-servers natobj-dst-aws-servers
nat (inside,outside) source static Jenkins_Server Jenkins_Server destination static DMQA_Network DMQA_Network
nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.31.145 129.228.31.145
nat (inside,outside) source static VPN-Wireless_Pools-DMQA VPN-Wireless_Pools-DMQA destination static DMQA_Router DMQA_Router
nat (inside,outside) source static obj_166.77.185.13 obj_166.77.185.13 destination static DMQA_Router DMQA_Router
nat (inside,outside) source static obj_166.77.185.14 obj_166.77.185.14 destination static DMQA_Router DMQA_Router
nat (inside,outside) source static obj_166.77.185.15 obj_166.77.185.15 destination static DMQA_Router DMQA_Router
nat (inside,outside) source static obj_166.77.185.123 obj_166.77.185.123 destination static DMQA_Router DMQA_Router
nat (inside,outside) source static obj_166.77.185.124 obj_166.77.185.124 destination static DMQA_Router DMQA_Router
nat (inside,outside) source static obj_166.77.206.28 obj_166.77.206.28 destination static DMQA_Router DMQA_Router
nat (inside,outside) source static natobj-src-sap natobj-src-sap
nat (inside,outside) source static natobj-src-sap natobj-src-sap destination static natobj-src-sap natobj-src-sap
nat (inside,outside) source static obj_imailrelay-server obj_imailrelay-server destination static DMQA_Router DMQA_Router
!
object network natobj-172.18.3.0-25
 nat (dmz-corpvpn,outside) dynamic pat-pool natobj-default-natpool
object network natobj-10.10.4.0-24
 nat (inside,outside) dynamic pat-pool natobj-default-natpool
object network natobj-192.21.120.0-23
 nat (inside,outside) dynamic pat-pool natobj-default-natpool
object network natobj-166.77.0.0-16

0 Helpful
1 Reply 1

rvarelac
Level 7
Level 7

‎12-04-2015 04:45 PM

Hi Akash, 

Looks like you have a bunch of NATs configured that  might be overlapping this entry and casuing that error. Try adding the "route-lookup" keyword at the end of the NAts that contain the same subnet or have the "any" statement. 

Hope it helps

-Randy-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card