07-23-2013 07:58 AM - edited 03-10-2019 12:04 AM
Hi.
I have a mail_server = 192.168.0.1 in my dmz which is available from inet by smtp protocol.
inet = 9.9.9.9
object network nat__smtpServer
host 192.168.0.1
nat (dmz,inet) static interface service tcp smtp smtp
In this way every source from inet (including 1.1.1.1) can initiate connection to our mail_server.
If we add twice nat:
nat (inside,inet) source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
object-group network monitor_Admin2
network-object host 172.1.1.37
object-group network Servers_L
network-object host 1.1.1.1
in this way every source from inet (EXCEPT 1.1.1.1) can initiate connection to our mail_server.
%ASA-7-710005: TCP request discarded from 10.1.1.1/54616 to inet:9.9.9.9/25
packet-tracer input inet tcp 10.1.1.1 5346 9.9.9.9 25
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 9.9.9.9 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inet
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Any ideas ?
07-23-2013 09:05 PM
Hi,
What you are telling to the twice NAT is that when 172.1.1.37 (located on the inside) wants to reach 1.1.1.1
nat (inside,inet) source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
Other point is that a packet tracer with the interface IP address will fail since it is an NPI connection.
If what you want is to
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-24-2013 12:20 AM
Thanks.
I solved the issue by placing nat (inside,inet) source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
to the 3rd section:
nat (inside,inet) after-auto 3 source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
packet-tracer input inet tcp 10.1.1.1 5346 9.9.9.9 25
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2bccd960, priority=13, domain=capture, deny=false
hits=26865, user_data=0x7fff2b6cf890, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a3d1ea0, priority=1, domain=permit, deny=false
hits=818, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inet) after-auto source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
Additional Information:
NAT divert to egress interface Ine-FCS
Untranslate 1.1.1.1/22 to 1.1.1.1/22
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in in interface inside
access-list inside_in extended permit tcp object-group monitor_Admin2 object-group Servers_L eq ssh
object-group network monitor_Admin2
group-object monitor_Admin1
network-object host 172.1.1.37
group-object OurServers_Dev&Test
object-group network Servers_L
network-object host 1.1.1.1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2bfaa2b0, priority=13, domain=permit, deny=false
hits=1, user_data=0x7fff234a7a00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=172.1.1.37, mask=255.255.255.255, port=0, tag=0
dst ip/id=1.1.1.1, mask=255.255.255.255, port=22, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,Ine-FCS) after-auto source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
Additional Information:
Dynamic translate 172.1.1.37/344 to 9.9.9.9/344
Forward Flow based lookup yields rule:
in id=0x7fff2b3fced0, priority=6, domain=nat, deny=false
hits=1, user_data=0x7fff2a56be30, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.1.1.37, mask=255.255.255.255, port=0, tag=0
dst ip/id=1.1.1.1, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=inet
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29f83190, priority=1, domain=nat-per-session, deny=true
hits=2357435, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a3dae70, priority=0, domain=inspect-ip-options, deny=true
hits=1002, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inet) after-auto source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2b5cfb30, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x7fff2c6f1cc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.1.1.37, mask=255.255.255.255, port=0, tag=0
dst ip/id=1.1.1.1, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=inet
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff29f83190, priority=1, domain=nat-per-session, deny=true
hits=2357437, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a2d9790, priority=0, domain=inspect-ip-options, deny=true
hits=1037309, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=Ine-FCS, output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1331991, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inet
output-status: up
output-line-status: up
Action: allow
07-24-2013 08:59 AM
Great!
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide