05-03-2016 09:34 AM - edited 03-12-2019 12:41 AM
I am trying to make sense of the changes that Cisco has made to NAT on ASA > v8.3. I have a network which is being PAT'd to the outside interface address, and want to add a static NAT from the outside interface IP to a specific inside host.
Relevant bits of the config looks as so:
object network SERVER1
host 192.168.128.7
description INTERNAL SERVER
object service SERVER1-TCP-6000
service tcp destination eq 6000
access-list OUTSIDE-IN extended permit tcp object-group REMOTE-ACCESS object SERVER1 eq 6000 log emergencies
nat (INSIDE,OUTSIDE) source dynamic INSIDE-NET interface
nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000
Testing from addresses in REMOTE-ACCESS fails and packet tracer output shows the traffic is dropped:
fw1# packet-tracer input OUTSIDE tcp 1.1.1.2 1076 10.1.1.20 6000 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ROUTER1.EXAMPLE.COM using egress ifc identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e212c9870, priority=0, domain=nat-per-session, deny=false
hits=30107923, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e2c881270, priority=0, domain=permit, deny=true
hits=4957308, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I find the new NAT config very confusing so grateful to anyone who could show me what I am missing here.
05-03-2016 10:44 AM
Your NAT statement looks good to me, but you may need to change the order so the dynamic statement will happen last (the rules are processed from the top down):
nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000
nat (INSIDE,OUTSIDE) source dynamic INSIDE-NET interface
Also the service objects need to be for source port (not destination).
05-03-2016 01:16 PM
Hi,
Thanks for your post - can you elaborate on your comments about the ports? Under normal circumstances I would always describe the traffic in terms of the destination port, i.e. from and OUTSIDE -> INSIDE perspective.
Are you saying that I have to create the NAT the other way around, and describe the traffic in terms of the source port that the server will respond from? This seems an odd way to do things but may be where I'm going wrong. I have tried changing the order of the rules to no avail.
Many thanks
George
05-03-2016 01:23 PM
You're creating the NAT for the source on port tcp/6000, so the service object would need to be set to source instead of destination:
object service SERVER1-TCP-6000
service tcp source eq 6000
nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000
Give that a try and see if it will work (you may have to do issue a clear xlate to clear the cache).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide