04-11-2015 05:15 PM - edited 03-11-2019 10:45 PM
Hello, everyone
I have been trying static nat on a ASA 5510 8.2(2), but it is not translating.
Public IP: 1.2.3.4
Private IP: 192.168.11.18
static (inside,outside) 1.2.3.4 192.168.11.18
access-list outside_access_in extended permit ip any any
sh xlate
Global 1.2.3.4 Local 192.168.11.18
I only see untransleted hits,and logs said teardown connection timeout.
Any advice to troubleshooting is so appreciated.
Regards.
Solved! Go to Solution.
04-13-2015 09:02 AM
Can't see anything wrong with your configuration and as far as I can see the packet-tracer outputs show the ASA is working properly.
Like I say only seeing untranslate hits suggests the server is not returning the packets back to the ASA but it is a directly connected network.
Is the default gateway of the server the ASA ?
Jon
04-13-2015 09:08 AM
Since server i s direct;t connected to ASA so you will not need a route on ASA.
However, for server default gateway is switch, so make sure that you have a default route configured on switch pointing to ASA.
take a wireshark capture on server and run a capture on ASA
cap capi interface inside match ip any host 192.168.11.18
As far as configuration is concerned it looks good on ASA.
Thanks
04-11-2015 10:29 PM
Is it not working in outbound or inbound direction? If you see untranslated hit, it means inbound NAT works fine.
Can you run packet tracer in both inbound direction and outbound and see if static NAt is being hit correctly
packet-tracer inside tcp 192.168.11.18 12345 4.2.2.2 80
packet-tracer outside tcp 4.2.2.2 12345 1.2.3.4 80
Also can you see any specific reason of connection being tear down in logs?
04-12-2015 04:12 PM
Thanks for reply. Pranay
I consider outbound direction is not working as you said.
I already change ACLs to work it out, but I got the same.
access-list NAT extended permit ip any host 1.2.3.4
access-group NAT in interface outside
IP OUTSIDE INTERFACE: A.B.C.D
PUBLIC NAT IP: 1.2.3.4
04-12-2015 04:23 PM
Your packet-tracer output is not correct
packet-tracer input inside tcp 192.168.11.18 1500 1.2.3.4 22 detailed
This shows that internal machine 192.168.11.18 is trying to access 1.2.3.4. While as per NAT statement 1.2.3.4 is representing the same machine for outside world. So after translation 1.2.3.4 is trying to access 1.2.3.4
Similarly
packet-tracer input outside tcp 1.2.3.4 1500 A.B.C.D 22
This says from outside 1.2.3.4 you are trying A.B.C.D , while as per static NAT 1.2.3.4 has to be destination IP when you see from outside.
.
04-13-2015 06:32 AM
My mistake. you are right.
These are the new outputs.
packet-tracer input inside tcp 192.168.11.18 1500 8.8.8.8 80 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7e39d8, priority=0, domain=inspect-ip-options, deny=true
hits=5954, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 137
Additional Information:
Static translate 192.168.11.18/0 to 1.2.3.4/0 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xac4622d8, priority=5, domain=nat, deny=false
hits=17, user_data=0xa7da1670, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.11.18, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 137
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7b1f60, priority=5, domain=host, deny=false
hits=108, user_data=0xa7da1670, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.11.18, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac796948, priority=0, domain=inspect-ip-options, deny=true
hits=594, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5880, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
packet-tracer input outside tcp 8.8.8.8 1500 1.2.3.4 22 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 142
Additional Information:
NAT divert to egress interface inside
Untranslate 1.2.3.4/0 to 192.168.11.18/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NAT in interface outside
access-list NAT extended permit ip any host 1.2.3.4
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac795410, priority=12, domain=permit, deny=false
hits=46, user_data=0xa8a03600, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=1.2.3.4, mask=255.255.255.255, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac796948, priority=0, domain=inspect-ip-options, deny=true
hits=598, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 142
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac79ede0, priority=5, domain=nat-reverse, deny=false
hits=66, user_data=0xa7da1670, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.11.18, mask=255.255.255.255, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
match ip inside host 192.168.11.18 outside any
static translation to 1.2.3.4
translate_hits = 17, untranslate_hits = 142
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac7b1f60, priority=5, domain=host, deny=false
hits=116, user_data=0xa7da1670, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.11.18, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac7e39d8, priority=0, domain=inspect-ip-options, deny=true
hits=5960, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5886, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
04-13-2015 07:01 AM
Is the internal server on a directly connected network to the ASA and is it using the ASA as it's default gateway.
If it is not directly connected what is it's default gateway device and does that have a default route pointing to the ASA ?
What service ie. port number are you trying to connect to on the server and does it work from an internal client ?
Jon
04-13-2015 07:24 AM
Hi, Jon
1. The internal server is on a directly connected network; there is a vlan gw in the switch: 192.168.11.19/29
2. I try to connect ports: 22 and 443. Those work from a internal host in the same vlan.
Regards.
04-13-2015 07:41 AM
The internal server is on a directly connected network; there is a vlan gw in the switch: 192.168.11.19/29
I don't follow.
If there is a switch that has an SVI for the server then it is not directly connected to the ASA ?
If you seeing untranslate hits it suggests traffic is going through from outside to inside correctly but for some reason traffic isn't getting back to the firewall.
Jon
04-13-2015 07:48 AM
The vlan gw is because we reach that network from others vlans. But it is on a directly connected network to the ASA.
04-13-2015 07:54 AM
I share you my main configuration:
interface Ethernet0/1
nameif outside
security-level 0
ip address A.B.C.D 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.11.21 255.255.255.248
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NAT extended permit ip any host 1.2.3.4
static (inside,outside) 1.2.3.4 192.168.11.18 netmask 255.255.255.255
access-group NAT in interface outside
route outside 0.0.0.0 0.0.0.0 gw_outside_interface 1
Regards!
04-13-2015 09:02 AM
Can't see anything wrong with your configuration and as far as I can see the packet-tracer outputs show the ASA is working properly.
Like I say only seeing untranslate hits suggests the server is not returning the packets back to the ASA but it is a directly connected network.
Is the default gateway of the server the ASA ?
Jon
04-13-2015 09:18 AM
I already add a default gw in the server, because I have many networks cards, and I think it sends back paquets from another interface.
route add default gw 192.168.11.21
It works!!!
Thank you Jon and Pranay.
04-13-2015 09:08 AM
Since server i s direct;t connected to ASA so you will not need a route on ASA.
However, for server default gateway is switch, so make sure that you have a default route configured on switch pointing to ASA.
take a wireshark capture on server and run a capture on ASA
cap capi interface inside match ip any host 192.168.11.18
As far as configuration is concerned it looks good on ASA.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide