cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2240
Views
0
Helpful
7
Replies

Static NAT not working....NEED help fast!

robbo79871
Level 1
Level 1

SNAT.png

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Hi guys, so basically i have no clue as to why the SNAT i've setup on my ASA here to go to R2 here for telnet on R2 from either R3 or R4 isnt working. All the other config is up and working on everything else, R2 can ping R3 as well through the dynamic NAT rule i've setup, the static NAT for some unknown reason just doesnt seem to want to work and I think i've done everything right to. I'll post the config here for the ASA...................
ASA Version 9.9(2)
!
hostname ciscoasa
enable password $sha512$5000$OesS1Q0ztcWz2bIF489rMw==$vyauUzBcHsmkMIwL8g8ZIA== pbkdf2
names

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service PORT_5000
service tcp destination eq 5000
object service PORT_23
service tcp destination eq telnet
object network SERVER
host 10.20.20.10
object service TELNET
service tcp source eq telnet
access-list outside_to_dmz extended permit tcp any host 10.20.20.10 eq telnet
access-list outside_to_dmz extended permit tcp any any eq telnet
pager lines 23
mtu outside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (dmz,outside) source dynamic any interface
!
object network SERVER
nat (dmz,outside) static interface service tcp telnet telnet
access-group outside_to_dmz in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
    30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
    0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
    33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
    09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
    72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
    7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
    61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
    0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
    1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
    037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
    7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
    ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
    b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
    6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
    4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
    16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
    01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
    03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
    636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
    2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
    703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
    86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
    7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
    1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
    03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
    4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
    b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
    4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
    dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
    2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
    2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
    e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
    e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
    4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
    30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
    a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
console serial
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect ip-options
  inspect netbios
  inspect rtsp
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sip
  inspect skinny
  inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
Cryptochecksum:a0a7c6dc8e3805dbe0d5cb85e1458e7f
: end
7 Replies 7

Hi,

Your dynamic nat "nat (dmz,outside) source dynamic any interface" would be above the static nat defined for telnet and thus causing an issue.

Remove the dynamic nat and re-enter with after-auto command configured, this will move the dynamic rule to NAT Section 3 and processed after the static nat

 

"nat (dmz,outside) after-auto source dynamic any interface"

 

HTH

 

 

 

Thanks for your help, sadly it didnt work. I did run packet-tracer though afterwards and if i do packet-tracer input outside tcp 5.5.5.2 23 1.1.1.2 23 it will return all allows but if i run packet-tracer input outside tcp 5.5.5.2 23 10.20.20.10 23 then it fails at "Phase 6 rpf-check"

Upload the full output of the first packet-tracer for review.

Run "show nat" and confirm whether the traffic is hitting the correct nat rule.

If traffic is matching the correct nat rule, confirm the router has a default route to respond to the traffic and that the router is configured correctly for telnet.

HTH

Thanks for your reply again, here is the out for the first packet-tracer command.....

ciscoasa(config)# packet-tracer input outside tcp 5.5.5.2 23 1.1.1.2 23

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SERVER
nat (dmz,outside) static interface service tcp telnet telnet
Additional Information:
NAT divert to egress interface dmz
Untranslate 1.1.1.2/23 to 10.20.20.10/23

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_to_dmz in interface outside
access-list outside_to_dmz extended permit tcp any host 10.20.20.10 eq telnet
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz,outside) after-auto source dynamic any interface
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SERVER
nat (dmz,outside) static interface service tcp telnet telnet
Additional Information:

Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11, packet dispatched to next module

Phase: 12
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.20.20.10 using egress ifc dmz

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address c402.0686.0010 hits 7 reference 1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
###########################################################################################################
ciscoasa(config)# show nat

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static SERVER interface service tcp telnet telnet
translate_hits = 0, untranslate_hits = 4

Manual NAT Policies (Section 3)
1 (dmz) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
#########################################################################################################
The ASA and routers definitely have the correct routes on them and the router is setup for telnet to because i can telnet to it on the same router, thanks again....

RIGHT, it is working now, the very last telnet i did i was using the private IP instead of public (it has been a long day trust me!). But i'm sure it wouldnt have worked without your help there.

This is all linked and simulauted basically bascause today i spent around 6 hours trying to configure static NAT rules for port 80,443 and 8850 and could not get the traffic it to work at all!
I've just logged back onto the production firewall and moved the dynamic rule to after-auto for the dmz interfaces but had no luck again. The auto NAT rules are still not getting triggered. The thing is i have about another 6 manual NAT rules in there for site to site tunnels that are live at the moment but on different interfaces etc... Do i need to move them all with the after-auto command as well. Looks like i might have to delete them to and put them back in with that command to get them underneath the auto-NAT rules.......???

Good to hear it's working in the lab.

As far as your production firewall is concerned, without seeing your current configuration I cannot be certain. If you run packet-tracer using the public IP address as the destination, confirm which nat rule is being hit, if it's the wrong nat rule then potentially you may need to move the dynamic nat rule using after-auto.

You would need to remove the existing rules and then re-add using after-auto.

HTH

My production firewall is behaving exactly like my GNS3 firewall as far as packet-tracer is concerned, it stops on Phase 3 and complains about an ACL drop just like the GNS3 firewall before i moved the manual NAT polices behind the auto-NAT ones......Thanks for your continued help with this to, it was driving me mental today.
Review Cisco Networking for a $25 gift card