cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1467
Views
5
Helpful
22
Replies
Highlighted
Beginner

Strange NAT behavior ASA 5505

Hi,

We have one ASA 5505 version 9.1(5) and we need to open the 55055 TCP port on firewall that redirect to port TCP 80 on QNAP Viostor ip 192.168.11.254

I have added one object network in this way:

Object network Viostor

   host 192.168.11.54

   description QNAP_Viostor

nat rule:

    nat (inside,outside) static interface service tcp 80 55055

Firewall rule:

   access-list outside_access_in line 8 remark Viostor

   access-list outside_access_in line 9 extended permit tcp any object Viostor eq 55055

When i try to connect with the Android app Vmobile i see this notify on ASA log:

TCP request discarded from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

The ASA does not have UDP server that services the UDP request

I don't understand why UDP instead of TCP.

Please help me!

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Ahmed, thanks for your replies... however you are missing an important thing (ASA sw version). Packet tracer is showing NAT is not being hit; and on this sw version ACL does not use the external_IP or mapped IP, but the real_IP instead.

s.be00001, please do the following:

object service 55055
service tcp source eq 55055
object service www
service tcp source www
!
nat (inside,outside) 1 source static Viostor interface service www 55055
!
access-list outside_access_in line 9 extended permit tcp any object Viostor eq www

Run the packet-tracer again and send us the results:

packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed

View solution in original post

22 REPLIES 22
Highlighted
Cisco Employee

Hello my friend,

  • First catch, confirm if the host is 192.168.11.54 or 192.168.11.254
  • Please run the following:
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed

And paste the complete results here, also let me know the ASA software version you are running.

Regards!

Highlighted

Hi,

Thank you for the answer!

The ASA versione is 9.1(5) ASDM 7.1(6)

The host is 192.168.11.254, not 192.168.11.54 (sorry my mistake).

This is the output:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=166471376, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in MY_EXTERNAL_IP 255.255.255.255 identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=6388618, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x 0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9ec08, priority=0, domain=permit, deny=true
hits=109852, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, prot ocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Why asa said "flow is denied by configured rule" on phase 4?

Thanks!

Highlighted

In this version, the NAT should hit first than the ACL and I am not seeing it is hitting it.

Please share with me the show run nat and show run access-group outputs.

Highlighted

ASA# show run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
nat (inside,outside) source static Inside Inside destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp
nat (inside,outside) source dynamic inside-networkNEW interface
nat (inside,outsidebackup) source static inside-networkNEW inside-networkNEW destination static remote-networkNEW remote-networkNEW
nat (inside,outsideBackup) source dynamic inside-networkNEW interface
nat (inside,outsideBackup) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
!
object network Inside
nat (inside,outside) dynamic interface
object network drytek
nat (inside,outsideBackup) static 172.31.254.253
object network Rete_HD
nat (inside,outside) dynamic interface
object network RETE_172.16.0.0
nat (inside,outside) dynamic interface
object network Guest_Client
nat (GUEST,outside) dynamic interface
object network Viostor
nat (inside,outside) static interface service tcp www 55055

ASA# show run access-group
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outsidebackup_access_in in interface outsideBackup
access-group GUEST_access_in in interface GUEST

Highlighted

Hi;

Your issue is that ACL is dropping your packet it’s also verified via packet tracer:

 

You need to modify the ACL and allow the outside users to hit on your public IP on port 55055.

access-list outside_access_in line 9 extended permit tcp any host <EXTERNAL_IP> eq 55055

 

As a Packet Flow through an ASA Firewall it always checks ACL first then go for NAT statement.

 

Thanks & Best regards;

Highlighted

Nope..

Same issue..

Highlighted

Hi;

Either modify the existing Line 9 or insert a new line that allow users to access your external_ip on port 55055.

Thanks & Best regards;

Highlighted

Nope..

Same issue..

Highlighted

Ahmed, thanks for your replies... however you are missing an important thing (ASA sw version). Packet tracer is showing NAT is not being hit; and on this sw version ACL does not use the external_IP or mapped IP, but the real_IP instead.

s.be00001, please do the following:

object service 55055
service tcp source eq 55055
object service www
service tcp source www
!
nat (inside,outside) 1 source static Viostor interface service www 55055
!
access-list outside_access_in line 9 extended permit tcp any object Viostor eq www

Run the packet-tracer again and send us the results:

packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed

View solution in original post

Highlighted

ASA# packet-tracer input outside tcp 8.8.8.8 1025 MY_EXTERNAL_IP 55055 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=239250585, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
NAT divert to egress interface inside
Untranslate MY_EXTERNAL_IP/55055 to 192.168.11.54/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_2
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object gre
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_2
network-object 192.168.0.0 255.255.0.0
network-object object Rete_HD
network-object object RETE_172.16.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbfa2790, priority=13, domain=permit, deny=false
hits=0, user_data=0xc9e5c4a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Static translate 8.8.8.8/1025 to 8.8.8.8/1025
Forward Flow based lookup yields rule:
in id=0xcd7918c0, priority=6, domain=nat, deny=false
hits=0, user_data=0xcd792200, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=MY_EXTERNAL_IP, mask=255.255.255.255, port=55055, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393297, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbea3c10, priority=0, domain=inspect-ip-options, deny=true
hits=11281329, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd8aeda8, priority=70, domain=inspect-http, deny=false
hits=1408694, user_data=0xcd8ad6a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc87ca40, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=136477, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcd782960, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xcd792148, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.11.54, mask=255.255.255.255, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcef66280, priority=0, domain=user-statistics, deny=false
hits=11182223, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=inside

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393299, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcbe7a1f0, priority=0, domain=inspect-ip-options, deny=true
hits=11190843, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcef66cd8, priority=0, domain=user-statistics, deny=false
hits=11258692, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11587603, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Highlighted

Great! so now results are different and traffic is allowed. Could you please confirm this with real traffic?

Finally, if you think this issue has been solved, please mark useful answers.

Thanks! :)

Highlighted

Thanks but still not working.

Same issue: The ASA does not have UDP server that services the UDP request

Very sad...

Highlighted

Hi,

Now there is a little bit confusion. One side you are asking about traffic to allow from external IP tcp port 55055 which traffic is allowed (packet tracer output) & second side your traffic is denied due to udp server to services udp request.

Can you ask your application team and get more detail information about your application behavior?

Thanks & Best regards

Highlighted

I agree with Ahmed, is this UDP or TCP traffic? it is not the same. Packet-tracer was used to serve TCP traffic, not UDP.

Now, if you are not sure of this...

  1. Place a capture on the outside interface:
capture outside interface outside match tcp any host [Outside interface IP] eq 55055 match udp any host [Outside interface IP] eq 55055

  2. Read the captures and copy the output to paste the results here.

show capture outside
Content for Community-Ad