Solved: STATIC NAT ASA 5510 NOT WORKING

090002aaa · ‎04-11-2015

Hello, everyone

I have been trying static nat on a ASA 5510 8.2(2), but it is not translating.

Public IP: 1.2.3.4

Private IP: 192.168.11.18

static (inside,outside) 1.2.3.4 192.168.11.18

access-list outside_access_in extended permit ip any any

sh xlate

Global 1.2.3.4 Local 192.168.11.18

I only see untransleted hits,and logs said teardown connection timeout.

Any advice to troubleshooting is so appreciated.

Regards.

Jon Marshall · ‎04-13-2015

Can't see anything wrong with your configuration and as far as I can see the packet-tracer outputs show the ASA is working properly.

Like I say only seeing untranslate hits suggests the server is not returning the packets back to the ASA but it is a directly connected network.

Is the default gateway of the server the ASA ?

Jon

View solution in original post

Pranay Prasoon · ‎04-13-2015

Since server i s direct;t connected to ASA so you will not need a route on ASA.

However, for server default gateway is switch, so make sure that you have a default route configured on switch pointing to ASA.

take a wireshark capture on server and run a capture on ASA

cap capi interface inside match ip any host 192.168.11.18

As far as configuration is concerned it looks good on ASA.

Thanks

View solution in original post

Pranay Prasoon · ‎04-11-2015

Is it not working in outbound or inbound direction? If you see untranslated hit, it means inbound NAT works fine.

Can you run packet tracer in both inbound direction and outbound and see if static NAt is being hit correctly

packet-tracer inside tcp 192.168.11.18 12345 4.2.2.2 80

packet-tracer outside tcp 4.2.2.2 12345 1.2.3.4 80

Also can you see any specific reason of connection being tear down in logs?

090002aaa · ‎04-12-2015

Thanks for reply. Pranay

I consider outbound direction is not working as you said.

I already change ACLs to work it out, but I got the same.

access-list NAT extended permit ip any host 1.2.3.4

access-group NAT in interface outside

IP OUTSIDE INTERFACE: A.B.C.D

PUBLIC NAT IP: 1.2.3.4

packet-tracer input inside tcp 192.168.11.18 1500 1.2.3.4 22 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in A.B.C.D W.X.Y.Z outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac7e39d8, priority=0, domain=inspect-ip-options, deny=true

hits=5938, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255

match ip inside host 192.168.11.18 outside any

static translation to 1.2.3.4

translate_hits = 15, untranslate_hits = 101

Additional Information:

Static translate 192.168.11.18/0 to 1.2.3.4/0 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xac4622d8, priority=5, domain=nat, deny=false

hits=15, user_data=0xa7da1670, cs_id=0x0, flags=0x0, protocol=0

src ip=192.168.11.18, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255

match ip inside host 192.168.11.18 outside any

static translation to 1.2.3.4

translate_hits = 15, untranslate_hits = 101

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac7b1f60, priority=5, domain=host, deny=false

hits=57, user_data=0xa7da1670, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.11.18, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed

packet-tracer input outside tcp 1.2.3.4 1500 A.B.C.D 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in A.B.C.D 255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacf70eb0, priority=121, domain=permit, deny=false

hits=105, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=22, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac796948, priority=0, domain=inspect-ip-options, deny=true

hits=545, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: MGMT-TCP-INTERCEPT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xa76aac30, priority=0, domain=mgmt-tcp-intercept, deny=false

hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=A.B.C.D, mask=255.255.255.255, port=22, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: allow

Logs said it is because of sync timeout. I think issue could be nat reverse, but not sure at all.

Regards!

Pranay Prasoon · ‎04-12-2015

Your packet-tracer output is not correct

packet-tracer input inside tcp 192.168.11.18 1500 1.2.3.4 22 detailed

This shows that internal machine 192.168.11.18 is trying to access 1.2.3.4. While as per NAT statement 1.2.3.4 is representing the same machine for outside world. So after translation 1.2.3.4 is trying to access 1.2.3.4

Similarly

packet-tracer input outside tcp 1.2.3.4 1500 A.B.C.D 22

This says from outside 1.2.3.4 you are trying A.B.C.D , while as per static NAT 1.2.3.4 has to be destination IP when you see from outside.

.

090002aaa · ‎04-13-2015

My mistake. you are right.

These are the new outputs.

packet-tracer input inside tcp 192.168.11.18 1500 8.8.8.8 80 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7e39d8, priority=0, domain=inspect-ip-options, deny=true
hits=5954, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 137
Additional Information:
Static translate 192.168.11.18/0 to 1.2.3.4/0 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xac4622d8, priority=5, domain=nat, deny=false
hits=17, user_data=0xa7da1670, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.11.18, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 137
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7b1f60, priority=5, domain=host, deny=false
hits=108, user_data=0xa7da1670, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.11.18, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac796948, priority=0, domain=inspect-ip-options, deny=true
hits=594, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5880, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

packet-tracer input outside tcp 8.8.8.8 1500 1.2.3.4 22 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 142
Additional Information:
NAT divert to egress interface inside
Untranslate 1.2.3.4/0 to 192.168.11.18/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NAT in interface outside
access-list NAT extended permit ip any host 1.2.3.4
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac795410, priority=12, domain=permit, deny=false
hits=46, user_data=0xa8a03600, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=1.2.3.4, mask=255.255.255.255, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac796948, priority=0, domain=inspect-ip-options, deny=true
hits=598, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 142
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac79ede0, priority=5, domain=nat-reverse, deny=false
hits=66, user_data=0xa7da1670, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.11.18, mask=255.255.255.255, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 142
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac7b1f60, priority=5, domain=host, deny=false
hits=116, user_data=0xa7da1670, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.11.18, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac7e39d8, priority=0, domain=inspect-ip-options, deny=true
hits=5960, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5886, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Jon Marshall · ‎04-13-2015

Is the internal server on a directly connected network to the ASA and is it using the ASA as it's default gateway.

If it is not directly connected what is it's default gateway device and does that have a default route pointing to the ASA ?

What service ie. port number are you trying to connect to on the server and does it work from an internal client ?

Jon

090002aaa · ‎04-13-2015

Hi, Jon

1. The internal server is on a directly connected network; there is a vlan gw in the switch: 192.168.11.19/29

2. I try to connect ports: 22 and 443. Those work from a internal host in the same vlan.

Regards.

Jon Marshall · ‎04-13-2015

The internal server is on a directly connected network; there is a vlan gw in the switch: 192.168.11.19/29

I don't follow.

If there is a switch that has an SVI for the server then it is not directly connected to the ASA ?

If you seeing untranslate hits it suggests traffic is going through from outside to inside correctly but for some reason traffic isn't getting back to the firewall.

Jon

090002aaa · ‎04-13-2015

The vlan gw is because we reach that network from others vlans. But it is on a directly connected network to the ASA.

090002aaa · ‎04-13-2015

I share you my main configuration:

interface Ethernet0/1
nameif outside
security-level 0
ip address A.B.C.D 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.11.21 255.255.255.248
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list NAT extended permit ip any host 1.2.3.4

static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255

access-group NAT in interface outside

route outside 0.0.0.0 0.0.0.0 gw_outside_interface 1

Regards!

Jon Marshall · ‎04-13-2015

Can't see anything wrong with your configuration and as far as I can see the packet-tracer outputs show the ASA is working properly.

Like I say only seeing untranslate hits suggests the server is not returning the packets back to the ASA but it is a directly connected network.

Is the default gateway of the server the ASA ?

Jon

090002aaa · ‎04-13-2015

I already add a default gw in the server, because I have many networks cards, and I think it sends back paquets from another interface.

route add default gw 192.168.11.21

It works!!!

Thank you Jon and Pranay.

Pranay Prasoon · ‎04-13-2015

Since server i s direct;t connected to ASA so you will not need a route on ASA.

However, for server default gateway is switch, so make sure that you have a default route configured on switch pointing to ASA.

take a wireshark capture on server and run a capture on ASA

cap capi interface inside match ip any host 192.168.11.18

As far as configuration is concerned it looks good on ASA.

Thanks