Unable to configure ASA PAT with static NAT on v8.3+

George Mason · ‎05-03-2016

I am trying to make sense of the changes that Cisco has made to NAT on ASA > v8.3. I have a network which is being PAT'd to the outside interface address, and want to add a static NAT from the outside interface IP to a specific inside host.

Relevant bits of the config looks as so:

object network SERVER1
 host 192.168.128.7
 description INTERNAL SERVER
object service SERVER1-TCP-6000
 service tcp destination eq 6000
 access-list OUTSIDE-IN extended permit tcp object-group REMOTE-ACCESS object SERVER1 eq 6000 log emergencies
nat (INSIDE,OUTSIDE) source dynamic INSIDE-NET interface
nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000

Testing from addresses in REMOTE-ACCESS fails and packet tracer output shows the traffic is dropped:

fw1# packet-tracer input OUTSIDE tcp 1.1.1.2 1076 10.1.1.20 6000 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ROUTER1.EXAMPLE.COM using egress ifc  identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f2e212c9870, priority=0, domain=nat-per-session, deny=false
    hits=30107923, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f2e2c881270, priority=0, domain=permit, deny=true
    hits=4957308, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I find the new NAT config very confusing so grateful to anyone who could show me what I am missing here.

jlkeys · ‎05-03-2016

Your NAT statement looks good to me, but you may need to change the order so the dynamic statement will happen last (the rules are processed from the top down):

nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000

nat (INSIDE,OUTSIDE) source dynamic INSIDE-NET interface

Also the service objects need to be for source port (not destination).

George Mason · ‎05-03-2016

Hi,

Thanks for your post - can you elaborate on your comments about the ports? Under normal circumstances I would always describe the traffic in terms of the destination port, i.e. from and OUTSIDE -> INSIDE perspective.

Are you saying that I have to create the NAT the other way around, and describe the traffic in terms of the source port that the server will respond from? This seems an odd way to do things but may be where I'm going wrong. I have tried changing the order of the rules to no avail.

Many thanks

George

jlkeys · ‎05-03-2016

You're creating the NAT for the source on port tcp/6000, so the service object would need to be set to source instead of destination:

object service SERVER1-TCP-6000

service tcp source eq 6000

nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000

Give that a try and see if it will work (you may have to do issue a clear xlate to clear the cache).