06-17-2013 09:20 AM - edited 03-11-2019 06:59 PM
Hello,
I have inside host with the ip address of 189.37.122.98.
I want to translate this ip address with 212.200.11.100.
I create object below object for nat
UPDATED:
object network ob1
host 189.37.122.98
nat(inside,outside) static 212.200.11.100
Inside IP address 189.37.122.98 is reachable via ICMP.
But NAT is not working.
ASA# sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static ob1 213.230.22.100
translate_hits = 0, untranslate_hits = 404
Please let me know how to troubleshoot this.
Regards,
Parvez
Solved! Go to Solution.
06-17-2013 09:59 AM
Hi,
The "show conn detail" output above shows that there is TCP connections on your firewall destined for that IP address behind the firewall.
However, the device behind the firewall isnt replying to these connections. Judging from that the problem is not on the firewall but rather behind the firewall.
The most common reason would be
- Jouni
06-17-2013 10:08 AM
Hi,
These outputs are telling us that there is no TCP SYN ACK from the "inside" server
TCP outside: 5.108.26.165/20623 inside: 189.37.122.98/443,
flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0
TCP outside: 87.109.3.170/1564 inside: 189.37.122.98/443,
flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0
TCP outside: 112.200.19.205/50429 inside: 189.37.122.98/443,
flags SaAB , idle 2s, uptime 2s, timeout 30s, bytes 0
As you can see from your above post the TCP flags "SaAB" mean the following
So as you can see the ASA has only seen the initial TCP SYN from the host on the "outside" that is trying to connect. Its still waiting for the "inside" host to reply to the TCP SYN with TCP SYN, ACK. The ASA is naturally also waiting to see a TCP ACK from the "outside" host for the TCP connection forming to be complete.
If the TCP flags stay the same like above then it simply means that the server is not replying to the connections or the return traffic is not routed correctly back to the ASA.
Other way to confirm what traffic/messages are going through the ASA would be to configure traffic capture.
- Jouni
06-17-2013 09:29 AM
Hi,
Can you confirm the IP addresses?
Neither the local nor the public IP address in the NAT configuration match what you are saying in the post.
- Jouni
06-17-2013 09:30 AM
Hello,
So, if u ping 213.230.22.100 it does not reply right?
Is there any NAT statement prior to this that mentions the object 198.73.221.89
EDIT: Yeah, Jounni is right the NAtted IP address you are trying to access is different than the one on the Nat command
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-17-2013 09:38 AM
There is no NAT on ASA except this. Ping to 213.230.22.100 is not working.
We have 213.230.22.1 on ASA outside interface and next hop is 213.230.22.2.
We are using Public IP address inside and outside of ASA.
Moreover, I have applied "permit ip any any" on outside interface.
I used packet tracer command to check the packet from outside. It was successfull.
Could you please let me know how we can check SYN, SYN/ACK and ACK on ASA?
Below is the command output for Show conn.
ASA# sh conn detail
52 in use, 397 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow
TCP outside: 5.108.26.165/20623 inside: 189.37.122.98/443,
flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0
TCP outside: 87.109.3.170/1564 inside: 189.37.122.98/443,
flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0
TCP outside: 112.200.19.205/50429 inside: 189.37.122.98/443,
flags SaAB , idle 2s, uptime 2s, timeout 30s, bytes 0
06-17-2013 09:42 AM
Hi,
I meant that in the original post you tell what the IP addresses used are. Both behind the firewall and on the firewall itself as the NAT IP address.
Then you mention the configuration used. But in the configuration you use completely different IP addresses than you tell us originally. Have you checked that there is no mistakes in the IP addresses used?
The TCP connection flags you refer to tell that the SYN has come from "outside" but no reply to this has come from the "inside"
Confirm that the actual configuration follows this logic
object network
host
nat (inside,outside) static
- Jouni
06-17-2013 09:54 AM
For More clarification,
server(189.37.122.98)...............inside(10.1.1.1)ASA(212.200.11.100)outside...........internet
Nexthop for the inside 10.1.1.2.
Nexthop for the outside 212.200.11.2
From ASA, IP address 189.37.122.98 is reachable.
Natted IP address
189.37.122.98--------->>212.200.11.100
I am getting hit on permit ip any any applied on the outside interface.
Please let me know if you need more information.
Regards,
06-17-2013 09:59 AM
Hi,
The "show conn detail" output above shows that there is TCP connections on your firewall destined for that IP address behind the firewall.
However, the device behind the firewall isnt replying to these connections. Judging from that the problem is not on the firewall but rather behind the firewall.
The most common reason would be
- Jouni
06-17-2013 10:01 AM
Hello Jouni,
I am using the same logic.
i.e.
object network
host
nat (inside,outside) static
I just want to know that, How we can check that ASA inside interface is getting reply/syn-ack packet from server.
OR
Is there any other way to fix this issue.
Regards,
06-17-2013 10:08 AM
Hi,
These outputs are telling us that there is no TCP SYN ACK from the "inside" server
TCP outside: 5.108.26.165/20623 inside: 189.37.122.98/443,
flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0
TCP outside: 87.109.3.170/1564 inside: 189.37.122.98/443,
flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0
TCP outside: 112.200.19.205/50429 inside: 189.37.122.98/443,
flags SaAB , idle 2s, uptime 2s, timeout 30s, bytes 0
As you can see from your above post the TCP flags "SaAB" mean the following
So as you can see the ASA has only seen the initial TCP SYN from the host on the "outside" that is trying to connect. Its still waiting for the "inside" host to reply to the TCP SYN with TCP SYN, ACK. The ASA is naturally also waiting to see a TCP ACK from the "outside" host for the TCP connection forming to be complete.
If the TCP flags stay the same like above then it simply means that the server is not replying to the connections or the return traffic is not routed correctly back to the ASA.
Other way to confirm what traffic/messages are going through the ASA would be to configure traffic capture.
- Jouni
06-17-2013 10:17 AM
Thanks a lot Jouni.
I will check rest network configuration and will contact with server team.
Regards,
06-17-2013 11:13 AM
Hi Jouni,
I want to connect another interface of ASA with another ISP.
and need to configure ASA for 10.0.0.0/8 subnet(usersubnet) to use this ISP for internet.
Is this possible to connect the server from ISP1(Using NAT translation) and User to connect ISP2(Interface NAT) using diffrent interface of ASA?
If yes, default route to which ISP?
Regards,
06-17-2013 11:35 AM
Hi,
I would try to first confirm that you get the Static NAT working before looking at doing something else.
And for the other Dual ISP setup would be better to make a new discussion rather than mix those things with this Static NAT problem.
- Jouni
06-19-2013 12:59 PM
Thanks a lot it Jouni.
It is working fine. It was the issue on server which you have mentioned above.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide