Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
2
Replies

Static NAT

johnlloyd_13
Level 9
Level 9

‎08-28-2015 07:13 AM - edited ‎03-11-2019 11:30 PM

hi all,

just a quick one, i tried to do a static NAT an IPS' private IP to a public IP address so that I could SSH it from the internet.

the IPS' private IP is already PAT'd the the ASA outside IP.

i can't seem to make the static NAT work but PAT works. packet tracer shows it's allowed.

is it possible that both PAT and static NAT could exist for the same private IP?

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎08-28-2015 08:26 AM

I would have thought the static should take precedence over the PAT but it does depend on your NAT rule ordering if it is 8.3 or later.

Did you clear the xlate for the IPS before you tested ?

If so perhaps you can post the "sh nat" output indicating the relevant lines for the IPS ?

Jon

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Jon Marshall

‎08-29-2015 03:25 AM

hi jon,

i tried to do a 'clear xlate' but still can't HTTPS from outside.

let me check on the firesight policy if HTTPS is restricted to certain IPS.

i'm not sure if i've asked our vendor to allow 'inside' IP subnets only.

 

asa01# ping tcp seadrill 172.27.0.134 443   <<< IPS private IP
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 172.27.0.134 port 443
from 172.27.0.132, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

access-list OUTSIDE extended permit tcp any host 172.27.0.134 eq https

object network FIRESIGHT_MGT
 host 172.27.0.134
 nat (inside,outside) static 202.126.1xx.1yy

 

asa01# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static FIRESIGHT_MGT 202.126.1xx.1yy
    translate_hits = 2, untranslate_hits = 3

 

asa01# packet-tracer input outside tcp 1.1.1.1 443 202.126.1xx.1yy 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network FIRESIGHT_MGT
 nat (inside,outside) static 202.126.1xx.1yy
Additional Information:
NAT divert to egress interface seadrill
Untranslate 202.126.1xx.1yy/443 to 172.27.0.134/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:       
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit tcp any host 172.27.0.134 eq https
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network FIRESIGHT_MGT
 nat (seadrill,outside) static 202.126.1xx.1yy
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
              
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 227387, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card