Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1460
Views
0
Helpful
14
Replies

Simple PAT/NAT on asa

Go to solution
Snakekick
Level 1
Level 1

‎06-02-2017 12:52 AM - edited ‎03-12-2019 02:27 AM

Hello,

i have a easy setup.

an outside interface with the ip address 172.21.241.205

and a ssh server on the inside interface with the address 192.168.242.200

i create a network object :

object network FileServer
host 192.168.242.200
nat (inside,outside) static interface service tcp 22 22


then

access-list outside permit tcp any 192.168.242.200 255.255.255.255 eq 22

access-group outside in interface outside

but now when a client try to access the server i get this error:

3 Jun 02 2017 09:46:14 710003 172.21.241.216 52155 172.21.241.205 22 TCP access denied by ACL from 172.21.241.216/52155 to outside:172.21.241.205/22

 


 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Snakekick

‎06-06-2017 02:49 AM

The problem is it is hitting rule 1 in section 1 so it never gets to section 2 where your rule is and you can see this because there are no hits.

So either move your static NAT rule to section 1 and make sure it is first in the list (you can use line numbers) or move rule 1 in section to section 3 using the "after-auto" keyword.

As a general rule you would usually put the dynamic NAT general rules in section 3 to avoid this type of thing but note that moving it to section 3 will affect service temporarily whereas moving your static NAT statement won't as it isn't working anyway at the moment.

There is a great document on this site explaining all of this and a lot more, I'll see if it can find it for you.

Jon

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-02-2017 02:12 AM

Can you post a "sh nat".

Jon

0 Helpful

Go to solution
Snakekick
Level 1
Level 1
In response to Jon Marshall

‎06-05-2017 10:37 PM

sorry for the delay..

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 324345, untranslate_hits = 566120
2 (inside) to (Private) source dynamic any interface
translate_hits = 874, untranslate_hits = 0
3 (Private) to (inside) source dynamic any interface
translate_hits = 106, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (any) to (outside) source static FileServer interface service tcp www www
translate_hits = 0, untranslate_hits = 0

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Snakekick

‎06-06-2017 02:49 AM

The problem is it is hitting rule 1 in section 1 so it never gets to section 2 where your rule is and you can see this because there are no hits.

So either move your static NAT rule to section 1 and make sure it is first in the list (you can use line numbers) or move rule 1 in section to section 3 using the "after-auto" keyword.

As a general rule you would usually put the dynamic NAT general rules in section 3 to avoid this type of thing but note that moving it to section 3 will affect service temporarily whereas moving your static NAT statement won't as it isn't working anyway at the moment.

There is a great document on this site explaining all of this and a lot more, I'll see if it can find it for you.

Jon

0 Helpful

Go to solution
Snakekick
Level 1
Level 1
In response to Jon Marshall

‎06-06-2017 03:02 AM

something is still not work :(

sh nat

Auto NAT Policies (Section 2)
1 (any) to (outside) source static FileServer interface service tcp www www
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (IB2_Private) source dynamic any interface
translate_hits = 4, untranslate_hits = 0
2 (IB2_Private) to (inside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
translate_hits = 1796, untranslate_hits = 977

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Snakekick

‎06-06-2017 03:09 AM

In your original post you are giving access to port 22 but in the NAT statement it is for port 80 ?

Can you clarify and also can you run a packet tracer to see where it is failing.

Jon

0 Helpful

Go to solution
Snakekick
Level 1
Level 1
In response to Jon Marshall

‎06-06-2017 03:37 AM

[toc:faq]

sorry 80 is correct.

IB4FW1# packet-tracer input outside tcp 172.21.241.22 1024 172.21.241.205 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.242.200 using egress ifc inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network FileServer
nat (any,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 172.21.241.205/80 to 192.168.242.200/80

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.21.241.129 using egress ifc outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit tcp any any object-group DM_INLINE_TCP_4
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq ssh
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
description test
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description test
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network FileServer
nat (any,outside) static interface service tcp www www
Additional Information:

Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 366822, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Snakekick

‎06-06-2017 03:44 AM

According to the output it is working ie. it matches the correct NAT rule and is allowed through.

Are you still not seeing any hits on that rule in a "sh nat" ?

Jon

0 Helpful

Go to solution
Snakekick
Level 1
Level 1
In response to Jon Marshall

‎06-06-2017 03:47 AM

Auto NAT Policies (Section 2)
1 (any) to (outside) source static FileServer interface service tcp www www
translate_hits = 0, untranslate_hits = 7

Manual NAT Policies (Section 3)
1 (IB2_Private) to (inside) source dynamic any interface
translate_hits = 7, untranslate_hits = 0
2 (inside) to (outside) source dynamic any interface
translate_hits = 8073, untranslate_hits = 3659
3 (inside) to (IB2_Private) source dynamic any interface
translate_hits = 4, untranslate_hits = 0

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Snakekick

‎06-06-2017 03:50 AM

So it is working according to that.

Is the server on the same IP subnet as the inside interface and is the default gateway of the server the ASA ?

Jon

0 Helpful

Go to solution
Snakekick
Level 1
Level 1
In response to Jon Marshall

‎06-06-2017 04:25 AM

but this look like some thing is still wrong 

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolvecisco 
Result: ALLOW
Config:
Additional Information:
found next-hop 172.21.241.129 using egress ifc outside

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Snakekick

‎06-06-2017 04:57 AM

Phase 2 picks the right interface and if you look at the very end it is saying the inside interface is the output interface.

Are you sure there is not a problem with the server ?

Jon

0 Helpful

Go to solution
Snakekick
Level 1
Level 1
In response to Jon Marshall

‎06-06-2017 10:07 PM

thank you. the asa work.

my server has a nic in the same subnet like the asa outgoing interface ;)

thanks for you help

now all work

0 Helpful

Go to solution
mickyq
Level 1
Level 1

‎06-06-2017 02:25 AM

try looking at the xlate to see if its using the right one;

show xlate local 192.168.242.200

0 Helpful

Go to solution
Snakekick
Level 1
Level 1
In response to mickyq

‎06-06-2017 02:36 AM

 show xlate local 192.168.242.200
183 in use, 365 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from any:192.168.242.200 80-80 to outside:172.21.241.205 80-80
flags sr idle 0:00:10 timeout 0:00:00

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card