cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
2
Replies

Static NAT

johnlloyd_13
Level 9
Level 9

hi all,

just a quick one, i tried to do a static NAT an IPS' private IP to a public IP address so that I could SSH it from the internet.

the IPS' private IP is already PAT'd the the ASA outside IP.

i can't seem to make the static NAT work but PAT works. packet tracer shows it's allowed.

is it possible that both PAT and static NAT could exist for the same private IP?

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

I would have thought the static should take precedence over the PAT but it does depend on your NAT rule ordering if it is 8.3 or later.

Did you clear the xlate for the IPS before you tested ?

If so perhaps you can post the "sh nat" output indicating the relevant lines for the IPS ?

Jon

hi jon,

i tried to do a 'clear xlate' but still can't HTTPS from outside.

let me check on the firesight policy if HTTPS is restricted to certain IPS.

i'm not sure if i've asked our vendor to allow 'inside' IP subnets only.

 

asa01# ping tcp seadrill 172.27.0.134 443   <<< IPS private IP
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 172.27.0.134 port 443
from 172.27.0.132, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

access-list OUTSIDE extended permit tcp any host 172.27.0.134 eq https

object network FIRESIGHT_MGT
 host 172.27.0.134
 nat (inside,outside) static 202.126.1xx.1yy

 

asa01# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static FIRESIGHT_MGT 202.126.1xx.1yy
    translate_hits = 2, untranslate_hits = 3

 

asa01# packet-tracer input outside tcp 1.1.1.1 443 202.126.1xx.1yy 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network FIRESIGHT_MGT
 nat (inside,outside) static 202.126.1xx.1yy
Additional Information:
NAT divert to egress interface seadrill
Untranslate 202.126.1xx.1yy/443 to 172.27.0.134/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:       
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit tcp any host 172.27.0.134 eq https
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network FIRESIGHT_MGT
 nat (seadrill,outside) static 202.126.1xx.1yy
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
              
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 227387, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Review Cisco Networking for a $25 gift card