Static NAT issue on Outside interface 2

Lost & Found · ‎03-01-2016

Hi,

When accessing my server outside the translated server address(PUBIP) is not accessible.

object network PUB

host 1.1.0.3

object network RT

host 10.0.0.1

nat (outside2,inside) 1 source static any any destination static PUB RT

or nat (inside,outside2) source static RT PUB

access-list outside2_access_in_1 extended permit tcp any object RT eq ssh\telnet\http\https

access-group outside2_access_in_1 in interface outside2

Tried to clear xlate but same result

Server can ping and access the internet. Also it translated to the static address.

telnet publicaddressofserver 80 failed

packet-tracer input outside2 tcp (my outside address) 12345 (defined add) 80 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside2) source static Host-10.0.0.1 PUBIP2-2
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.0.3/80 to 10.0.0.1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside2_access_in_1 in interface outside2
access-list outside2_access_in_1 extended permit object-group DM_INLINE_SERVICE_
2 any object Host-10.0.0.1
access-list outside2_access_in_1 remark ** **
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object tcp destination eq telnet
service-object ip
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe38975e0, priority=13, domain=permit, deny=false
        hits=181, user_data=0x7fffe9830000, cs_id=0x0, use_real_addr, flags=0x0,
protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=10.0.0.1, mask=255.255.255.255, port=80, tag=any, dscp=0x0
        input_ifc=outside2, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside2) source static Host-10.0.0.1 PUBIP2-2
Additional Information:
Static translate X.X.X.1/12345 to X.X.X.1/12345
Forward Flow based lookup yields rule:
in id=0x7fffe0449210, priority=6, domain=nat, deny=false
        hits=48633, user_data=0x7fffe1c928e0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=1.1.0.3, mask=255.255.255.255, port=0, tag=any, dscp=0x0
        input_ifc=outside2, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe1384ac0, priority=0, domain=nat-per-session, deny=false
        hits=22011898, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0
x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe1b6c6d0, priority=0, domain=inspect-ip-options, deny=true
        hits=9263003, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside2, output_ifc=any

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list ACL_ANY
policy-map global_policy
class SFR
sfr fail-close
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe27d58a0, priority=71, domain=sfr, deny=false
        hits=64176, user_data=0x7fffe27d2c30, cs_id=0x0, use_real_addr, flags=0x
0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside2, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside2) source static Host-10.0.0.1 PUBIP2-2
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffe37be040, priority=6, domain=nat-reverse, deny=false
        hits=47921, user_data=0x7fffe1ce3e70, cs_id=0x0, use_real_addr, flags=0x
0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=10.0.0.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
        input_ifc=outside2, output_ifc=inside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffe1384ac0, priority=0, domain=nat-per-session, deny=false
        hits=22011900, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0
x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffe1acbbe0, priority=0, domain=inspect-ip-options, deny=true
        hits=22249269, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21703951, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside2
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

my packettracer output thanks. inoticed that theres "Untranslate 1.1.0.3/80 to 10.0.0.1" on phase 1

thanks

Marius Gunnerud · ‎03-02-2016

Static NAT is bydirectional so you would only need the statement nat (inside,outside2) source static RT PUB.

But I noticed that you have defined the outside interface as outside2. Does this mean that you have another public / internet facing interface? If so then it is quite possible that you have an Asynchronous routing issue going on here, and that could be the reason the packet is being droped. Because packet-tracer only checks the "security checks" between two interfaces it will show allowed, but in reality, the return traffic could be leaving through another interface and the ASA finds no existing connection for this and then drops the packet.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Lost & Found · ‎03-02-2016

Hi Marius, Thanks for your response. Yes I have 2 interface facing the internet. Also tried the statement you have give before but still it doesn't work. regards,

Marius Gunnerud · ‎03-02-2016

But where is you default route pointing? Are you able to put a more specific route pointing out the outside2 interface for this traffic? If you are using two public interface, then as I mentioned this is most likely a case of asynchronous routing which is by default dropped by the ASA.

The solution to this is to first upgrade to version 9.3 or higher, if you haven't already done so. then use traffic zones to group the two outside interfaces. The zone allows for traffic to enter and leave interfaces within the same zone freely and still maintain the state-table connection. I am a little uncertain if this will cause a hickup in existing traffic so it would be best to do these changes in a service window.

zone outside

interface gig0/0

description outside1

zone-member outside

interface gig0/1

description outside2

zone-member outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Lost & Found · ‎03-02-2016

theres an Error on int g0/1 # zone-member outside ERROR: Interface with crypto features enabled can't be part of zone but on int g0/2 its has no error. thank you

Lost & Found · ‎03-02-2016

Default route is - outside interface.

And using PBR to route to outside2 interface. or do i need to create a static nat w/ route map

thanks

Marius Gunnerud · ‎03-04-2016

I think you would still have an issue as you are not able to place G0/1 in the zone-pair.

Depending on if it is specific IPs or all IP that are going to access through outside2, this will determine if you use static routing or PBR.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts