Solved: Simple PAT/NAT on asa

Snakekick · ‎06-02-2017

Hello,

i have a easy setup.

an outside interface with the ip address 172.21.241.205

and a ssh server on the inside interface with the address 192.168.242.200

i create a network object :

object network FileServer
host 192.168.242.200
nat (inside,outside) static interface service tcp 22 22

then

access-list outside permit tcp any 192.168.242.200 255.255.255.255 eq 22

access-group outside in interface outside

but now when a client try to access the server i get this error:

3

Jun 02 2017

09:46:14

710003

172.21.241.216

52155

172.21.241.205

22

TCP access denied by ACL from 172.21.241.216/52155 to outside:172.21.241.205/22

Jon Marshall · ‎06-06-2017

The problem is it is hitting rule 1 in section 1 so it never gets to section 2 where your rule is and you can see this because there are no hits.

So either move your static NAT rule to section 1 and make sure it is first in the list (you can use line numbers) or move rule 1 in section to section 3 using the "after-auto" keyword.

As a general rule you would usually put the dynamic NAT general rules in section 3 to avoid this type of thing but note that moving it to section 3 will affect service temporarily whereas moving your static NAT statement won't as it isn't working anyway at the moment.

There is a great document on this site explaining all of this and a lot more, I'll see if it can find it for you.

Jon

View solution in original post

Jon Marshall · ‎06-02-2017

Can you post a "sh nat".

Jon

Snakekick · ‎06-05-2017

sorry for the delay..

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 324345, untranslate_hits = 566120
2 (inside) to (Private) source dynamic any interface
translate_hits = 874, untranslate_hits = 0
3 (Private) to (inside) source dynamic any interface
translate_hits = 106, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (any) to (outside) source static FileServer interface service tcp www www
translate_hits = 0, untranslate_hits = 0

Jon Marshall · ‎06-06-2017

The problem is it is hitting rule 1 in section 1 so it never gets to section 2 where your rule is and you can see this because there are no hits.

So either move your static NAT rule to section 1 and make sure it is first in the list (you can use line numbers) or move rule 1 in section to section 3 using the "after-auto" keyword.

As a general rule you would usually put the dynamic NAT general rules in section 3 to avoid this type of thing but note that moving it to section 3 will affect service temporarily whereas moving your static NAT statement won't as it isn't working anyway at the moment.

There is a great document on this site explaining all of this and a lot more, I'll see if it can find it for you.

Jon

Snakekick · ‎06-06-2017

something is still not work :(

sh nat

Auto NAT Policies (Section 2)
1 (any) to (outside) source static FileServer interface service tcp www www
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (IB2_Private) source dynamic any interface
translate_hits = 4, untranslate_hits = 0
2 (IB2_Private) to (inside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
translate_hits = 1796, untranslate_hits = 977

Jon Marshall · ‎06-06-2017

In your original post you are giving access to port 22 but in the NAT statement it is for port 80 ?

Can you clarify and also can you run a packet tracer to see where it is failing.

Jon

Snakekick · ‎06-06-2017

[toc:faq]

sorry 80 is correct.

IB4FW1# packet-tracer input outside tcp 172.21.241.22 1024 172.21.241.205 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.242.200 using egress ifc inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network FileServer
nat (any,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 172.21.241.205/80 to 192.168.242.200/80

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.21.241.129 using egress ifc outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit tcp any any object-group DM_INLINE_TCP_4
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq ssh
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
description test
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description test
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network FileServer
nat (any,outside) static interface service tcp www www
Additional Information:

Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 366822, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Jon Marshall · ‎06-06-2017

According to the output it is working ie. it matches the correct NAT rule and is allowed through.

Are you still not seeing any hits on that rule in a "sh nat" ?

Jon

Snakekick · ‎06-06-2017

Auto NAT Policies (Section 2)
1 (any) to (outside) source static FileServer interface service tcp www www
translate_hits = 0, untranslate_hits = 7

Manual NAT Policies (Section 3)
1 (IB2_Private) to (inside) source dynamic any interface
translate_hits = 7, untranslate_hits = 0
2 (inside) to (outside) source dynamic any interface
translate_hits = 8073, untranslate_hits = 3659
3 (inside) to (IB2_Private) source dynamic any interface
translate_hits = 4, untranslate_hits = 0

Jon Marshall · ‎06-06-2017

So it is working according to that.

Is the server on the same IP subnet as the inside interface and is the default gateway of the server the ASA ?

Jon

Snakekick · ‎06-06-2017

but this look like some thing is still wrong

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolvecisco
Result: ALLOW
Config:
Additional Information:
found next-hop 172.21.241.129 using egress ifc outside

Jon Marshall · ‎06-06-2017

Phase 2 picks the right interface and if you look at the very end it is saying the inside interface is the output interface.

Are you sure there is not a problem with the server ?

Jon

Snakekick · ‎06-06-2017

thank you. the asa work.

my server has a nic in the same subnet like the asa outgoing interface ;)

thanks for you help

now all work

mickyq · ‎06-06-2017

try looking at the xlate to see if its using the right one;

show xlate local 192.168.242.200

Snakekick · ‎06-06-2017

show xlate local 192.168.242.200
183 in use, 365 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from any:192.168.242.200 80-80 to outside:172.21.241.205 80-80
flags sr idle 0:00:10 timeout 0:00:00