Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
6
Replies

Static NAT not working on 5512X

jgenender
Level 1
Level 1

‎02-17-2015 06:55 AM - edited ‎03-11-2019 10:30 PM

I have been using a ASA 5505 for quite a while and decided it was time to upgrade.  So I went to a 5512-X and I have been very unsuccessful in getting static NAT to work.

Here is the situation (IPs and domains changed to protect the innocent):

I have an outside set of IPs of 1.1.1.78/29

I have inside setup of 10.0.1.0/24

I have a web server that is at 1.1.1.77 and I want it mapped to 10.0.1.0

Internet from the inside to the outside works just fine.  But I cannot get inbound traffic to my webserver.

Config is more or less:
!

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.73 255.255.255.248
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.0.197.254 255.255.255.0
!

object network webserver
 host 10.0.197.1
object network webserver-external-ip
 host 1.1.1.77

object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object unreachable

access-list outside_access_in extended permit tcp any object webserver eq www
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any

object network webserver
 nat (inside,outside) static webserver-external-ip
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.78 1

show nat detail:

1 (inside) to (outside) source static webserver webserver-external-ip  
    translate_hits = 2276, untranslate_hits = 4
    Source - Origin: 10.0.197.1/32, Translated: 1.1.1.77/32

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface  
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.73/29

Packet trace inbound:

packet-tracer input outside tcp 8.8.8.8 12345 1.1.1.77 http

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver
 nat (inside,outside) static webserver-external-ip
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.77/80 to 10.0.197.1/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.78 using egress ifc  outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any4 object webserver eq www
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
              
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver
 nat (inside,outside) static webserver-external-ip
Additional Information:

Phase: 10     
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12995, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

packet trace from webserver on the inside out:

packet-tracer input inside tcp 10.0.197.1 http 8.8.8.8 12345

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.78 using egress ifc  outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network webserver
 nat (inside,outside) static webserver-external-ip
Additional Information:
Static translate 10.0.197.1/80 to 1.1.1.77/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7      
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13448, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Now here is the interesting part... I get no traffic to the internet from the inside with the web rule in effect.  The only way that gets working again is if I either remove the webserver nat or I move the manual nat (section 3) to section 1.  But the webserver access never works.

My goals are to have static nat from the outside web server ip to the internal, and to also have general internet access from the inside. As stated before, it worked great on a ASA5505.

 

Any ideas?  

Labels:
0 Helpful
6 Replies 6

jgenender
Level 1
Level 1

‎02-17-2015 07:33 AM

Ok...one more bit of information.  The internet access is ok from the inside net as for some reason the web server happens to be my DNS server as well.  The DNS resolutions seems to completely stop with that static nat for the web server.  I have attempted to enable all protocols on the web server, but it still is not passing anything.  I think if I can crack that nut, this should be solved.  Ideas are welcome ;-)

0 Helpful

rizwanr74
Level 7
Level 7
In response to jgenender

‎02-17-2015 01:51 PM

Please remove this line 

no nat (inside,outside) after-auto source dynamic any interface

and copy below lines instead.


object network obj-10.0.197.0-24
 subnet 10.0.197.0 255.255.255.0
 nat (inside,outside) dynamic interface

 

Let me know, if this helps.

 

Thanks

Rizwan Rafeek.

0 Helpful

jgenender
Level 1
Level 1
In response to rizwanr74

‎02-17-2015 02:00 PM

Unfortunately, that did not help.  Same thing... no static NAT on the web server.  It cannot get inbound traffic to the web.

0 Helpful

rizwanr74
Level 7
Level 7
In response to jgenender

‎02-18-2015 11:05 AM

Please post your whole configuration.

 

thanks

 

0 Helpful

jgenender
Level 1
Level 1
In response to rizwanr74

‎02-18-2015 12:28 PM

Hi. Thanks for following up.  I actually did the dirty deed and opened a TAC case and we got it working.  It wasn't the unit, it was something stupidly external.  I'm embarrassed to say what ;-)

0 Helpful

rizwanr74
Level 7
Level 7
In response to jgenender

‎02-18-2015 01:23 PM

No worries.

 

Good to hear it is working for you.

 

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card