Static NAT to backend network
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2013 12:11 PM - edited 03-11-2019 05:59 PM
I have this setup:
outside <-> [ASA] <-> inside (10.21.30.0/23) <-> [router] <-> inside2 (10.21.40.0/23)
I added this:
static (inside,outside) tcp 1.2.3.180 www 10.21.41.100 www netmask 255.255.255.255
access-list main_acl extended permit ip any host 10.21.41.100
route inside 10.21.40.0 255.255.254.0 10.21.31.1 1
I'm able to ping from asa to 10.21.41.100 and back to the asa from this box. So route works.
But If I'm outside and telnet 1.2.3.180 80 it does not work. (changing the rule to a host on 10.21.30.0/23 network works fine so its a route issue)
packet-tracer DROPS here:
tpfw01# packet-tracer input outside tcp 4.4.4.4 80 10.21.41.100 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.21.40.0 255.255.254.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group main_acl in interface outside
access-list main_acl extended permit ip any host 10.21.41.100
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,outside) tcp 1.2.3.180 www 10.21.41.100 www netmask 255.255.255.255
match tcp inside host 10.21.41.100 eq 80 outside any
static translation to 1.2.3.180/80
translate_hits = 0, untranslate_hits = 3
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2013 01:24 PM
Hi,
To me it seems you are opening the traffic to the Real IP address rather than the NAT IP address which should be used.
- If you are running ASA software 8.2 or below/older, you will need to use the NAT IP addresses as the destination address when you make ACL rules
- If you are running ASA software 8.3 or higher/newer, you will need to use the Real IP addresses as the destination address when you make ACL rules
So in your above case the ACL should rather be the following
access-list main_acl permit tcp any host 1.2.3.180 eq 80
Also your "packet-tracer" destination IP address should be the NAT IP address rather than the Real IP address. This is why the "packet-tracer" fails.
- Jouni
