Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4772
Views
4
Helpful
2
Replies

sp-security-failed in ASA ver 8.3

Asim Afzal
Level 1
Level 1

‎01-09-2013 12:15 AM - edited ‎03-11-2019 05:44 PM

HI All,

I try to do simple static nating .I can see the hits in show nat command output but not able to access the host from outside(internet).In packet tracer i am getting below mention result

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip object uasd-web any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network uasd-web

nat (inside,outside) static 94.56.92.7

Additional Information:

Static translate 192.168.1.91/80 to 94.56.92.7/80

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-09-2013 12:19 AM

Hi,

I think you have issued the packet-tracer command wrong since the traffic from OUTSIDE shouldnt be hitting the INSIDE ACL

Provided that all other configurations are correct your NAT and ACL should look something like this

object network uasd-web

host 192.168.1.91

nat (inside,outside) static 94.56.92.7

access-list OUTSIDE-IN permit tcp any object uasd-web eq 80

Replace OUTSIDE-IN with the ACL name you are using for your OUTSIDE interface

It should be attached in the following way

access-group OUTSIDE-IN in interface outside

Please rate if the information has been helfpull and/or ask more questions.

- Jouni

olumidekolawole1
Level 1
Level 1
In response to Jouni Forss

‎02-25-2018 11:47 AM

Hi,

I follow your suggestion using the config below, but still not working.

 

object network HRWEB

host 192.168.16.28

nat (inside,outside) static 80.248.12.189

 

access-list outside-in permit tcp any object HRWEB eq 80

 

access-group outside-in in interface outside

 

I still don't know what i am doing wrong.

 

Note that i have another web server working find with the below config;

 

object network PATWeb
host 192.168.16.16

object network PATWeb
nat (inside,outside) static 80.248.12.183 service tcp 8080 8080

access-list outside-in extended permit ip any host 192.168.16.16

access-group outside-in in interface outside

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card