Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7392
Views
0
Helpful
5
Replies

Static NAT for outside access not working...

Go to solution
remitprosupport
Level 1
Level 1

‎09-20-2011 02:42 PM - edited ‎03-11-2019 02:27 PM

Hello all. I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.

The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:

4    Sep 20 2011    16:20:33        fw_outside_ip    62678    outside_host    2001    Deny tcp src outside:outside_host_ip/62678 dst inside_host:inside_host_ip/2001 by access-group "outside_access_in" [0x0, 0x0]

When I try to use the packet tracer to simulate the outside traffic, I get the following

5    Sep 20 2011    16:17:41        inside_host    2001            Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:outside_host/1065 dst inside_int:inside_host/2001 denied due to NAT reverse path failure

I've got over my NAT statement and access rule and can't find anything wrong with either. If someone could take a look I'd appreciate it...

Here are the pertinent NAT and access rule...

static (inside_int,outside) tcp interface 2001 inside_host 2001 netmask 255.255.255.255

access-list outside_access_in extended permit tcp host outside_host host inside_host eq 2001

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-20-2011 02:52 PM

Hello Daniel,

As I can see you are running a version older than 8.3, So in this case you will need to point the Public Ip ( The natted one ) address on the ACL.

So if the Ip adddress of the interface is 31.31.31.31 the ACL should be:

access-list outside_access_in extended permit tcp host outside_host  host 31.31.31.31 eq 2001

Access-group  outside_access_in in interface outside

I think this is going to solve your problem, Please let me know if you need anything else

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-20-2011 02:52 PM

Hello Daniel,

As I can see you are running a version older than 8.3, So in this case you will need to point the Public Ip ( The natted one ) address on the ACL.

So if the Ip adddress of the interface is 31.31.31.31 the ACL should be:

access-list outside_access_in extended permit tcp host outside_host  host 31.31.31.31 eq 2001

Access-group  outside_access_in in interface outside

I think this is going to solve your problem, Please let me know if you need anything else

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
remitprosupport
Level 1
Level 1
In response to Julio Carvajal

‎09-20-2011 05:48 PM

Thanks for the reply Julio. I tried changing the destination IP address in the ACL from my inside host to that of the external IP address of the firewall in the ACL and I still get the same denial message. Do you have any other suggestions?

Thanks!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to remitprosupport

‎09-20-2011 05:51 PM

Hello Daniel,

Is it possible that you can post the configuration, and the source Ip address and the destination Ip address of this traffic in order to take a deeper look into this issue,

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
remitprosupport
Level 1
Level 1
In response to Julio Carvajal

‎09-21-2011 08:07 AM

Julio,

Thanks again for your reply. Because this was  time-sensitive, I opened a TAC with Cisco and they were able to resolve  the issue. As you pointed out, the access rule on the outside interface  needed to allow access to the outside interface itself. I was adding the  outside interface's IP address through ASDM, which did not work. The  Cisco tech added the outside IP address through the CLI, which then  showed up in ASDM as the interface by name (outside) instead of IP. I'm  not sure yet if specifying it by name in ASDM when adding the rule would  have had the same effect, but I'll have to test that.

Your help is greatly appreciated...

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to remitprosupport

‎09-21-2011 09:05 AM

Hello Daniel,

I am glad that now everything is working, as I assumed the problem was the Access-list.

Any other question I will be more than glad to help

Have a great Day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card