cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1219
Views
10
Helpful
12
Replies

Static NAT issue

Ejaz Ahmed
Level 1
Level 1

Hi Experts,

Please help me on this. I have attached my network diagram with this post.
My firewall is cisco ASA 5510 running with software version 8.4. I have configured static NAT for three servers (in diagram, server 1,2 and 3). The issue is, the static NAT is only working with the first server. No traffics are  going in and out from other two server (Server 2 and 3). All servers are in DMZ.

When I remove the static NAT for the server 2 and 3, all the traffic is going from the server with WAN IP of the firewall, that means the dynamic NAT is working. I have attached the configuration file also.

(NOTE: NAT is working for the Server 72.16.34.1)

Regards,
Ejaz

 

1 Accepted Solution

Accepted Solutions

Hi Ejaz,

Would you be able to try this workaround:-

https://supportforums.cisco.com/blog/149276/asapix-proxy-arp-vs-gratuitous-arp

I think the issue is with the IP addresses provided by the ISP.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

12 Replies 12

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi Ejaz,

Can you please verify the NAT statements for only the servers which are not wokring. It is very difficult to search it through the configuration which you have provided.

Also , you can send the Packet Tracer outputs form the outside to DMZZ for the Servers which are not working.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

 I have attached the NAT configuration of one the server that having issue. Also please see that pact tracer output :

ASA5510# packet-tracer input Outside tcp 4.2.2.2 12345 w.w.w.w 80 detaile$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
 nat (DMZ,Outside) static 23.30.88.139 dns
Additional Information:
NAT divert to egress interface DMZ
Untranslate w.w.w.w/80 to 172.16.34.3/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-VOIPSRV-02-172.16.34.3 eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac8f08c0, priority=13, domain=permit, deny=false
        hits=1, user_data=0xa9863780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.3, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=152903, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=10024, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaca29438, priority=50, domain=ids, deny=false
        hits=33660, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=65250, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
 nat (DMZ,Outside) static w.w.w.w dns
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaeb79b70, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xafa57f48, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.3, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=41909, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=64267, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=150381, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 609401, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

 

Hi Ejaz,

Thank you for the reply. To be sure all the public IP being used for Nat on the ASA device are in the Outside Interface Pool ? Correct ?

If no , add this command:- arp permit-nonconnected

If yes , i think the issue might not be with the ASA device. Are these some new IP addresses and have we used it before ?

I would request you to apply the captures on the ASA device interfaces and see which device is not replying:-

capture capout interface Outside match ip host <Public IP of server which is not working> any

capture capin interface DMZ match ip host <Private IP of server which is not working> any

Send me the captures if required.

Thanks and Regards,

Vibhor Amrodia

Hi

Thank you for the reply.

"outside interface pool"??? I didn't get. Could you please explain this to me??

I am using the public IP addresses  in the same IP block provided by ISP.  When I configured the public IP in the server and connected it direcly to the ISP router, it was working fine.

Regards

Ejaz

Hi Ejaz,

For ex:- If you have the External Interface configured as :-

ip address 1.1.1.1 255.255.255.248

The Natted Ip should be within this range of IP addresses:-

For Ex:- 1.1.1.1 -1.1.1.6.

If not , you would need this command on the ASA device:-

arp permit-nonconnected

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

Thank you so much for that quick response.

We are using the IP addresses in the same pool.

 

Regards

Ejaz

Hi Ejaz,

Then , I think you should proceed with the captures on the ASA device interfaces.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor

I have attached the capture result with the post.

I tried to ping from the server to the IP 8.8.8.8

 

Regards,

Ejaz

Hi Ejaz,

I think as you can see in the captures , we only see Uni-directional traffic through the ASA device and no reply from the Outside server.

This can mean that the IP Addresses might not be working.

Is this ASA device in production at this moment ?

Thanks and Regards,

Vibhor Amrodia

 

Hi Vibhor,

 

Yes, this ASA is in production. I have assigned the public IP to the server directly and connected the server to the ISP router, it was working fine.

 

Regards,

Ejaz

Hi Ejaz,

Would you be able to try this workaround:-

https://supportforums.cisco.com/blog/149276/asapix-proxy-arp-vs-gratuitous-arp

I think the issue is with the IP addresses provided by the ISP.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor

Thank you very much for the help. It was the same issue mentioned the link. Once we rebooted the ISP router everything started working. 

Thanks again .:) :):)

 

Ejaz

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: