cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1368
Views
0
Helpful
11
Replies

Static PAT on ASA5508 not working

RemRem
Beginner
Beginner

Hi there,

I'm trying to set up a static PAT to a host behind an ASA. Public IP port 2222 is supposed to connect to port 22 of the internal IP 192.168.10.11

The packet-tracer result looks as if it gets highjacked by another NAT rule.

I have included the config bits below. x.x.x.98 is the public ip of the outside interface.

I have removed four NAT rules from the sh nat result (they work and don't seem to be part of the problem).

 

object network MGMT-INSIDE-HOSTS
 range 10.10.18.0 255.255.255.128
object network VPN-HOSTS
 range 10.10.10.128 255.255.255.192
object network MGMT-LAN-AP
 range 10.10.13.128 255.255.255.128
object network SERVER
 range 192.168.10.0 255.255.255.0
object network SERVER-SSH
 host 192.168.10.11
object network EXT-Service-IP
 host x.x.x.18



nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source dynamic MGMT-INSIDE-HOSTS interface
!
object network MGMT-INSIDE-HOSTS
 nat (inside,outside) dynamic interface
object network SERVER-SSH
 nat (server,outside) static interface service tcp ssh 2222
!
nat (lanmgmt,outside) after-auto source dynamic MGMT-LAN-AP interface
nat (server,outside) after-auto source dynamic server pat-pool EXT-Service-IP


packet-tracer result:
ASA01# packet-tracer input outside tcp x.x.x.98 2222 192.168.10.11 22

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static VPN-HOSTS VPN-HOSTS
Additional Information:
NAT divert to egress interface lanmgmt
Untranslate 192.168.10.11/22 to 192.168.10.11/22

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: lanmgmt
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


ASA01# sh nat
Manual NAT Policies (Section 1)
1 (lanmgmt) to (outside) source static MGMT-LAN-AP MGMT-LAN-AP  destination static VPN-HOSTS VPN-HOSTS
    translate_hits = 1174, untranslate_hits = 2396
2 (inside) to (outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS  destination static VPN-HOSTS VPN-HOSTS
    translate_hits = 0, untranslate_hits = 0
!
!
!
!
7 (inside) to (outside) source dynamic MGMT-INSIDE-HOSTS interface
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (server) to (outside) source static SERVER-SSH interface  service tcp ssh 2222
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic MGMT-INSIDE-HOSTS interface
    translate_hits = 0, untranslate_hits = 0

11 Replies 11

Hi,
So you've natted SSH (tcp 22) on 192.168.10.11 to port 2222 and you want to access this from the outside network? You should run a packet trace such as this:-

packet-tracer input outside tcp 1.1.1.123 3000 x.x.x.x 2222

Do you have an ACL rule permitting traffic? The ACL needs to reference the real (inside) ip address and the real port (22).

HTH

Hi again,

There is no ACL so I can't allow the traffic so I would think as there is no ACL it won't be denied.

 

I tried packet-tracer input outside tcp 1.1.1.123 3000 x.x.x.x 2222:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <outside IF public IP> using egress ifc  identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Hi,

By default the ASA has an implicit rule which does not allow traffic to flow from a lower-security interface to a higher-security interface, unless a specific extended ACL is configured.

 

Create an ACL to specifically allow the traffic, use the real ip address and real port.

 

HTH

 

Okay, I added an ACL to the outside interface.

 

access-list outside_access_in line 1 extended permit tcp any object SERVER-SSH eq ssh (hitcnt=0) 0xc061ee3e
  access-list outside_access_in line 1 extended permit tcp any host 192.168.10.11 eq ssh (hitcnt=0) 0xc061ee3e
access-list outside_access_in line 2 extended permit ip any any (hitcnt=1) 0x7e78c5c4

 

I tried to connect to the host but still no luck. Do I need to also apply an ACL to the internal interface?

No you don't need to add an ACL to the internal interface

The hit count on your output there would indicate that it didn't hit line 1(which is your ssh rule), so something in regard to that configure could be incorrect. Can you upload your full config for review?

What is the output when you re-run packet-tracer after applying the ACL?

What is the output of "show xlate" and "show nat"? please upload

Here are the packet-tracer and sh nat outputs:

do you need the complete sh xlate output? Because there are a ton of IPs to edit...

 

Here is the config:

ASA Version 9.8(2)
!
hostname ASA1
enable password $sha512$5000$PQK8KSYe0NmO+h5OBttOig==$aBwdZ7RMs21vTIRUI4SqNg== pbkdf2
passwd o2NK4e2wFa6gGEjn encrypted
names
ip local pool vpnpool 10.10.10.129-10.10.10.190 mask 255.255.255.192

!
interface GigabitEthernet1/1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 channel-group 2 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 channel-group 2 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 channel-group 8 mode active
!
interface GigabitEthernet1/8
 channel-group 8 mode active
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface Port-channel1
 lacp max-bundle 8
 nameif outside
 security-level 0
 ip address x.x.x.98 255.255.255.224 standby x.x.x.99
!
interface Port-channel2
 lacp max-bundle 8
 no nameif
 security-level 0
 no ip address
!
interface Port-channel2.100
 vlan 100
 nameif lanmgmt
 security-level 0
 ip address 10.10.13.129 255.255.255.128 standby 10.10.13.130
!
interface Port-channel2.103
 vlan 103
 nameif inside
 security-level 100
 ip address 10.10.18.1 255.255.255.128 standby 10.10.18.2
!
interface Port-channel2.105
 vlan 105
 nameif bbb
 security-level 0
 ip address 10.b.b.1 255.255.255.240 standby 10.b.b.2
!
interface Port-channel2.200
 vlan 200
 nameif ccc
 security-level 0
 ip address 10.c.c.129 255.255.255.192 standby 10.c.c.130
!
interface Port-channel2.201
 vlan 201
 nameif ddd
 security-level 0
 ip address 10.d.d.1 255.255.255.192 standby 10.d.d.2
!
interface Port-channel2.203
 vlan 203
 nameif eee
 security-level 0
 ip address 10.e.e.193 255.255.255.192 standby 10.e.e.194
!
interface Port-channel2.221
 vlan 221
 nameif fff
 security-level 0
 ip address 10.f.f.209 255.255.255.240 standby 10.f.f.210
!
interface Port-channel2.301
 vlan 301
 nameif ggg
 security-level 0
 ip address 10.g.g.65 255.255.255.192 standby 10.g.g.66
!
interface Port-channel2.450
 vlan 450
 nameif hhh
 security-level 0
 ip address 10.h.h.65 255.255.255.192 standby 10.h.h.66
!
interface Port-channel2.800
 vlan 800
 nameif iii
 security-level 0
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Port-channel2.801
 vlan 801
 nameif jjj
 security-level 0
 ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
!
interface Port-channel2.810
 vlan 810
 nameif kkk
 security-level 0
 ip address 192.168.15.1 255.255.255.0 standby 192.168.15.2
!
interface Port-channel2.820
 vlan 820
 nameif lll
 security-level 0
 ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2
!
interface Port-channel2.821
 vlan 821
 nameif mmm
 security-level 0
 ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2
!
interface Port-channel2.828
 vlan 828
 nameif nnn
 security-level 0
 ip address 192.168.25.1 255.255.255.0 standby 192.168.25.2
!
interface Port-channel2.850
 vlan 850
 nameif ooo
 security-level 0
 ip address 172.o.o.1 255.255.0.0 standby 172.o.o.2
!
interface Port-channel2.898
 vlan 898
 nameif server
 security-level 0
 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface Port-channel2.899
 vlan 899
 nameif servermgmt
 security-level 0
 ip address 192.168.9.1 255.255.255.0 standby 192.168.9.2
!
interface Port-channel2.906
 vlan 906
 nameif ppp
 security-level 0
 ip address 10.p.p.193 255.255.255.240 standby 10.p.p.194
!
interface Port-channel2.1000
 vlan 1000
 nameif qqq
 security-level 0
 ip address 172.q.q.1 255.255.255.0 standby 172.q.q.2
!
interface Port-channel2.1254
 vlan 1254
 nameif rrr
 security-level 0
 ip address 172.r.r.1 255.255.252.0 standby 172.r.r.2
!
interface Port-channel8
 description LAN Failover Interface
 lacp max-bundle 8
!
banner login ------------------------------------WARNING-------------------------------
banner login ---------------------------------------------------------------------------
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network MGMT-INSIDE-HOSTS
 range 10.10.18.0 255.255.255.128
object network VPN-HOSTS
 range 10.110.18.128 255.255.255.192
object network XXX-NET
 range 10.10.2.0 255.255.255.0
object network YYY-NET
 range 10.10.1.0 255.255.255.0
object network MGMT-LAN-AP
 range 10.10.13.128 255.255.255.128
object network MMM
 range 192.168.22.1 255.255.255.0
object network CCC
 range 10.c.c.128 255.255.255.192
object network EXT-Service-IP
 host x.x.x.119
object network OOO
 range 172.o.o.0 255.255.0.0
object network servermgmt
 range 192.168.9.0 255.255.255.0
object network server
 range 192.168.10.0 255.255.255.0
object network RRR
 range 172.r.r.0 255.255.252.0
object network KKK
 range 192.168.15.0 255.255.255.0
object network III
 range 192.168.1.0 255.255.255.0
object network NNN
 range 192.168.25.0 255.255.255.0
object network QQQ
 range 172.q.q.0 255.255.255.0
object network LLL
 range 192.168.21.0 255.255.255.0
object network HHH
 range 10.h.h.64 255.255.255.192
object network JJJ
 range 192.168.20.0 255.255.255.0
object network SERVER-SSH
 host 192.168.10.11
 description otrum Server
access-list Split_Tunnel_List remark Networks behind ASA
access-list Split_Tunnel_List standard permit 10.17.68.0 255.255.255.128
access-list Split_Tunnel_List standard permit 10.17.63.128 255.255.255.128
access-list XXX-NET remark Network behind xxx
access-list XXX-NET extended permit ip 10.10.18.0 255.255.255.128 10.10.2.0 255.255.255.0
access-list XXX-NET extended permit ip 10.10.33.128 255.255.255.128 10.10.2.0 255.255.255.0
access-list XXX-NET extended permit ip 10.10.2.0 255.255.255.0 10.10.13.128 255.255.255.128
access-list XXX-NET extended permit ip 10.10.2.0 255.255.255.0 10.10.18.0 255.255.255.128
access-list YYY-NET remark Network behind yyy
access-list YYY-NET extended permit ip 10.10.13.128 255.255.255.128 10.10.1.0 255.255.255.0
access-list YYY-NET extended permit ip 10.10.1.0 255.255.255.0 10.10.13.128 255.255.255.128
access-list YYY-NET extended permit ip 10.10.1.0 255.255.255.0 10.10.18.0 255.255.255.128
access-list YYY-NET extended permit ip 10.10.18.0 255.255.255.128 10.10.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any object SERVER-SSH eq ssh
pager lines 24
logging enable
logging timestamp
logging list AUTH message 315011
logging list AUTH message 113005
logging list AUTH message 611103
logging list AUTH message 611102
logging list AUTH message 611101
logging list AUTH message 605005
logging list AUTH message 605004
logging list AUTH message 111008
logging list AUTH message 111009
logging buffer-size 100000
logging buffered debugging
logging trap AUTH
logging asdm informational
logging facility 19
logging host lanmgmt 10.10.13.133
logging message 315011 level debugging
logging message 113005 level debugging
logging message 611103 level debugging
logging message 611102 level debugging
logging message 611101 level debugging
logging message 605005 level debugging
logging message 605004 level debugging
logging message 111008 level debugging
mtu outside 1500
mtu lanmgmt 1500
mtu inside 1500
mtu bbbb 1500
mtu ccc 1500
mtu ddd 1500
mtu eee 1500
mtu fff 1500
mtu ggg 1500
mtu hhhh 1500
mtu iii 1500
mtu jjj 1500
mtu kkke 1500
mtu lll 1500
mtu mmm 1500
mtu nnn 1500
mtu ooo 1500
mtu server 1500
mtu servermgmt 1500
mtu ppp 1500
mtu qqq 1500
mtu rrr 1500
failover
failover lan unit primary
failover lan interface interface Port-channel8
failover interface ip interface 10.10.18.225 255.255.255.224 standby 10.10.18.226
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp outside x.x.x.119 mac.mac.mac alias
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static XXX-NET XXX-NET
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static SERVER-NET YYY-NET
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static XXX-NET LORD-NET
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static YYY-NET SERVER-NET
nat (inside,outside) source dynamic MGMT-INSIDE-HOSTS interface
!
object network MGMT-INSIDE-HOSTS
 nat (inside,outside) dynamic interface
object network SERVER-SSH
 nat (server,outside) static interface service tcp ssh 2222
!
nat (server,servermgmt) after-auto source dynamic otrum interface
nat (lanmgmt,outside) after-auto source dynamic MGMT-LAN-AP interface
nat (ccc,outside) after-auto source dynamic CCC pat-pool EXT-Service-IP
nat (ddd,outside) after-auto source dynamic DDD pat-pool EXT-Service-IP
nat (eee,outside) after-auto source dynamic EEE pat-pool EXT-Service-IP
nat (servermgmt,outside) after-auto source dynamic servermgmt pat-pool EXT-Service-IP
nat (fff,outside) after-auto source dynamic FFF pat-pool EXT-Service-IP
nat (ggg,outside) after-auto source dynamic GGG pat-pool EXT-Service-IP
nat (hhh,outside) after-auto source dynamic HHH pat-pool EXT-Service-IP
nat (iii,outside) after-auto source dynamic III pat-pool EXT-Service-IP
nat (jjj,outside) after-auto source dynamic JJJ pat-pool EXT-Service-IP
nat (kkk,outside) after-auto source dynamic KKK pat-pool EXT-Service-IP
route outside 0.0.0.0 0.0.0.0 x.x.x.x.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server TAC protocol tacacs+
aaa-server TAC (outside) host x.x.x.3
 key *****
user-identity default-domain LOCAL
aaa authentication ssh console TAC LOCAL
aaa authentication enable console TAC LOCAL
aaa authentication http console TAC LOCAL
aaa accounting command TAC
aaa accounting enable console TAC
aaa accounting ssh console TAC
aaa authentication login-history
http server enable
http x.x.x.0 255.255.240.0 outside
snmp-server host lanmgmt 10.10.13.133 poll community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt noproxyarp outside
sysopt noproxyarp lanmgmt
sysopt noproxyarp inside
sysopt noproxyarp ccwifi
service sw-reset-button
crypto ipsec ikev1 transform-set REMOTE_ACCESS_TS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set LINUX-IPSEC esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map REMOTE_ACCESS_DYNMAP 1 set ikev1 transform-set REMOTE_ACCESS_TS
crypto map REMOTE_ACCESS_MAP 10 match address LORD-NET
crypto map REMOTE_ACCESS_MAP 10 set peer x.x.x.4
crypto map REMOTE_ACCESS_MAP 10 set ikev1 transform-set LINUX-IPSEC
crypto map REMOTE_ACCESS_MAP 10 set reverse-route
crypto map REMOTE_ACCESS_MAP 20 match address SERVER-NET
crypto map REMOTE_ACCESS_MAP 20 set peer x.x.x.5
crypto map REMOTE_ACCESS_MAP 20 set ikev1 transform-set LINUX-IPSEC
crypto map REMOTE_ACCESS_MAP 20 set reverse-route
crypto map REMOTE_ACCESS_MAP 65535 ipsec-isakmp dynamic REMOTE_ACCESS_DYNMAP
crypto map REMOTE_ACCESS_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 7200
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh x.x.x.0 255.255.240.0 outside
ssh 10.10.13.128 255.255.255.128 lanmgmt
ssh 10.10.18.0 255.255.255.128 inside
ssh timeout 5
ssh version 2
ssh cipher encryption high
ssh key-exchange group dh-group1-sha1
console timeout 10

dhcpd auto_config lanmgmt
!
dhcpd address 10.h.h.74-10.h.h.126 hhh
dhcpd dns 8.8.8.8 8.8.4.4 interface hhh
dhcpd option 3 ip 10.h.h.65 interface hhh
dhcpd enable hhh
!
dhcpd address 192.168.20.10-192.168.20.250 jjj
dhcpd dns 8.8.8.8 8.8.4.4 interface jjj
dhcpd option 3 ip 192.168.20.1 interface jjj
dhcpd enable jjj
!
dhcpd address 192.168.22.10-192.168.22.250 mmm
dhcpd dns 8.8.8.8 8.8.4.4 interface mmm
dhcpd option 3 ip 192.168.22.1 interface mmm
dhcpd enable mmm
!
dhcpd address 172.o.o.21-172.o.o+1.20 ooo
dhcpd dns 8.8.8.8 8.8.4.4 interface ooo
dhcpd option 3 ip 172.o.o.1 interface ooo
dhcpd enable ooo
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.13.133
group-policy ASA1 internal
group-policy ASA1 attributes
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
dynamic-access-policy-record DfltAccessPolicy
username admin password pw privilege 15
username root password pw privilege 15
tunnel-group ASA1 type remote-access
tunnel-group ASA1 general-attributes
 address-pool vpnpool
 authentication-server-group TAC LOCAL
 default-group-policy FRARI
tunnel-group ASA1 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group x.x.x.4 type ipsec-l2l
tunnel-group x.x.x.4 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group x.x.x.5 type ipsec-l2l
tunnel-group x.x.x.5 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:66bbe06f6ef62e66c9fd5e8a0ec8e8fe
: end

Hi,
I cannot see an "access-group" to bind the ACL to the outside interface in the configuration. Try binding the ACL to the interface, if still not working re-run packet-tracer and upload the output.

HTH

Hi,

I have added this:

access-group outside_access_in in interface outside

 

Still not working. Packet-tracer output:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.98 using egress ifc  identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The output of packet tracer would usually indicate what nat rule, acl was matched....it doesn't here.

What values are you putting in the packet-tracer command? Can you re-run the packet-tracer and append "detailed" at the end. Provide the full output

Can you provide the output of "show xlate | inc <external-ip-address>", see if it's actually matching.

Here is the complete output:

 

ASA1# packet-tracer input outside tcp 8.8.8.8 3000 x.x.x.98 2222 de$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffa00658c10, priority=1, domain=permit, deny=false
        hits=2718, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.98 using egress ifc  identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff9ff8ec930, priority=0, domain=nat-per-session, deny=false
        hits=243, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffa0065a040, priority=0, domain=permit, deny=true
        hits=484, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Okay, as the ACLs did not help I finally removed all other NAT rules and of course, it worked fine.

Then I put the other rules back in one by one.

As it turns out, my static PAT only works if it is the first NAT rule (in the sh nat order).

How can I get it to always be #1 or is there any other workaround?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: