Solved: Re: tricky NAT issue on ASA 9.1

ronald.su · ‎01-15-2019

hi guys, I m facing a tricky NAT issue here, it's quite strange....
here is the story :
we have a subnet 192.168.2.0/24 and have 2 public IP on ASA(9.1)
all the subnet is dynamic NAT to the outside interface.

and now I want to add an internal IP to static NAT to another public IP

below is the config:
-----------------------------------------------------------------------------------------------
network object inside192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source dynamic inside192.168.2.0 interface

object network smartproxy
host 192.168.2.100
nat (inside,outside) static my-public-IP

access-list outside_access_in extended permit tcp any object smartproxy range 800 899

----------------------------------------------------------------------------------------------

I expect is :
all the internal host except smartproxy(192.168.2.100) will use interface public IP. (working fine)

smartproxy will use my-public-IP to access the internet (not work, it still using interface public-IP)

external host can access smartproxy tcp port 800-899 via my-public-IP (working fine)

and then i try packet-tracer, I found it hit by the dynamic NAT rule :

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic inside192.168.2.0 interface
Additional Information:
Dynamic translate 192.168.2.100/1234 to xxxxx/80

So , i tried to add below config:

nat (inside,outside) source static smartproxy smartproxy destination static my-public-IP my-public-IP

but nothing change , still not work.

I did many time NAT on 9.4 version and every time work, this is really tricky, I have no idea why ...any one can help ?

thanks!!!!

BTW , i found some strange config, not sure impact or not :
nat (inside,outside) source static inside192.168.2.0 inside192.168.2.0 destination static inside192.168.2.0 inside192.168.2.0

Sheraz.Salim · ‎01-17-2019

Yes, I said to remve this command

object network smartproxy
no nat (inside,outside) static my-public-ip
!
so the right order to remove this command will be 'no object network smartproxy' the reason
i said was, you already have a command
!
network object inside192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source dynamic inside192.168.2.0 interface
!
so you put the above smartproxy command it wont work. for you to work the smart-proxy you have to give
this command.
!
object network smartproxy
host 192.168.2.100
!

object network my-public-IP

host x.x.x.x

!
nat (inside,outside) 1 source static smartproxy smartproxy destination static my-public-IP my-public-IP
!

than test it

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎01-16-2019

try this

object network smartproxy
host 192.168.2.100
nat (inside,outside) static my-public-IP (Take this off)
!

nat (inside,outside) 1 source static smartproxy smartproxy destin static my-public-IP my-public-IP

also i noted in your packet tracer you doing packet tracer

192.168.2.100/1234 to xxxxxx/80

was this not suppose to be 8.8.8.8/80 ----->192.168.2.100 range 800-899 not 1234

try this

packet tracer input outside tcp 8.8.8.8 80 192.168.2.100 800 det

let me know how it goes.

-----------------------------------------------------------------------------

BTW , i found some strange config, not sure impact or not :
nat (inside,outside) source static inside192.168.2.0 inside192.168.2.0 destination static inside192.168.2.0 inside192.168.2.0

this above rule does not make sense. as you already have a rule for subnet 192.168.2.0 in nat section 2. so this above rule can be remove.

------------------------------------------------------------------------------

on a side note i was thinking to do a port range in nat but the version you running is hitting a bug CSCud70110

please do not forget to rate.

ronald.su · ‎01-16-2019

1. I tried remove the below config but even worst:

object network smartproxy
no nat (inside,outside) static my-public-ip

after that, I can't telnet form outside to the my-public-ip (nat to inside 192.168.2.100 : 801 port)

then I run the packet trace:

pack in outside tcp 8.8.8.8 80 192.168.2.100 801 det
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic inside192.168.2.0 interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2a70d750, priority=6, domain=nat-reverse, deny=false
        hits=26202, user_data=0x7fff2086f400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

-----------------------------------------------------

so I add the config again:

object network smartproxy
nat (inside,outside) static my-public-ip

then I able to telnet form outside to the my-public-ip (nat to inside 192.168.2.100 : 801 port)

BUT! although I can telnet to port 801 ,but the packet trace result still DROP, strange!

pack in outside tcp 8.8.8.8 80 192.168.2.100 801 det

the packet trace result told me drop, but actually it's "allow"

--------------------------------------------------------------------------------------

you said below config not make sense:

nat (inside,outside) source static inside192.168.2.0 inside192.168.2.0 destination static inside192.168.2.0 inside192.168.2.0

but I think it doesnt matter, it not impact the config, so I will keep it.

below is NAT the whole subenet : for you reference

Sheraz.Salim · ‎01-17-2019

Yes, I said to remve this command

object network smartproxy
no nat (inside,outside) static my-public-ip
!
so the right order to remove this command will be 'no object network smartproxy' the reason
i said was, you already have a command
!
network object inside192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source dynamic inside192.168.2.0 interface
!
so you put the above smartproxy command it wont work. for you to work the smart-proxy you have to give
this command.
!
object network smartproxy
host 192.168.2.100
!

object network my-public-IP

host x.x.x.x

!
nat (inside,outside) 1 source static smartproxy smartproxy destination static my-public-IP my-public-IP
!

than test it

please do not forget to rate.

ronald.su · ‎02-12-2019

sorry for late reply, I fixed my issue by :
no nat (inside,outside) source dynamic inside192.168.2.0 interface

object network inside192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface

then the NAT is going to what I expect