cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5262
Views
4
Helpful
16
Replies

ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward

Techi3Rebel
Level 1
Level 1

I have been brainstorming over this for a few days and need help. This is my Cisco LAB environment used for study but also in production for daily use. I am trying to setup a double-NAT network with just one IP from my ISP through the ASA & 3825 going to (2) end nodes and multiple ports for port forwarding. It is currently working but only as simple PAT and I cannot initiate FTP from the outside. I know some may suggest removing the router, but this is my study LAB and it's a bit unconventional for learning purposes. I attached the diagram and would really appreciate it if you could provide some pointers, tips, parts of the config. I have done quite a bit of reading on different forums but cannot seem to grasp the concept. Thank you…MK_Double_NAT.jpg

16 Replies 16

blau grana
Level 7
Level 7

Hello,

Have you configured static port forward for FTP port?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Hello, and thanks for replying. I know I will need different types of NAT but I'm uncertain on how to accomplish that. For instance, if I work with just port 2222 going to my NAS at 192.168.1.60, at the ASA, do I create a static NAT from 24.x.x.x to a (made up) IP of 10.1.1.60, and then at the Router, do I take that 10.1.1.60 and static NAT to 192.168.1.60?

Does that make sense? Do I have to perform the same type of static NAT for all destinations and ports and also have a dynamic NAT pool for the PAT?

Hello,

As you wrote, it is one way how to accomplish that -> you have to configure static portforward on both ASA and 3845.

Or you can perform NAT only on ASA, so you configure port forward -> 24.x.x.x 21 192.168.1.x 21. But make sure that ASA has a route to 192.168.1.0/24 network.

You have to choose one of this possibilities and perform static portforward for each service which you want to have reachable from internet. Additionaly you have to configure PAT for LAN host to be able to access internet.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Sorry that it took me so long to reply but I finally had time to play with this. I took your suggestion but I'm still not doing something correctly.

This is the error in the log:

Failed to locate egress interface for TCP from inside:10.1.1.1/16362 to 24.xx.xx.xx/2222

Please take a look at the following config from the ASA;

FF(config)# sho run object

object network DNAT_3825

object network INTERNAL_LAN

subnet 10.1.1.0 255.255.255.224

object network NAS_SFTP

host 192.168.1.60

description NAS SFTP - Port 2222

object service PORT_2222

service tcp source eq 2222 destination eq 2222

description NAS SFTP - Port 2222

FF(config)# sho run nat    

!

object network NAS_SFTP

nat (inside,outside) static interface no-proxy-arp service tcp 2222 2222

!

nat (inside,outside) after-auto source dynamic any interface dns

FF(config)# sho run access-list

access-list ACL-OUTSIDE extended permit tcp any host 192.168.1.60 eq 2222

access-list ACL-OUTSIDE extended deny ip any any log

access-list ACL-INSIDE extended permit ip any any log

FF(config)# sho run access-group

access-group ACL-OUTSIDE in interface outside

access-group ACL-INSIDE in interface inside

Hi,

have you got a route for 24.x.x.x.x on the ASA ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks for the response, here is the 'Sho Route'

Gateway of last resort is 24.xx.xx.xx to network 0.0.0.0

O    172.16.1.0 255.255.255.240 [110/11] via 10.1.1.1, 252:25:32, inside

C    24.xx.xx.xx 255.255.240.0 is directly connected, outside

C    10.1.1.0 255.255.255.224 is directly connected, inside

O    192.168.1.0 255.255.255.192 [110/11] via 10.1.1.1, 252:25:32, inside

d*   0.0.0.0 0.0.0.0 [1/0] via 24.xx.xx.xx, outside

The error message:

This is the error in the log:









Failed to locate egress interface for TCP from inside:10.1.1.1/16362 to 24.xx.xx.xx/2222

Is this from the ASA or the 3825?  Have you tried just setting up a single NAT statement on both the ASA and 3825? Also double check the routing table on the 3825 to make sure every route is visible.

That error is on the ASA. I am certain that my NAT is not correct and I posted the configs for both, the ASA and 3825 as well as the 'sho route'. Thanks for your help...

Hello,

Configuration which you provided seems OK, but error message looks weird. Do you perform NAT only on ASA or do you perform double NAT?

If you perform NAT only on ASA, can you provide entire config and these outputs?

- ping 192.168.1.60

- packet-tracer input outside tcp REMOTE HIGH_PORT 192.168.1.60. 22222 detailed

REMOTE - replace with IP from which you are trying to reach 192.168.1.60 (some public IP)

HIGH_PORT - replace with some high port f.e 26154

- show conn and show xlate - when you try to reach 192.168.1.60

- show route

- please verify that you can reach internet from ASA, ping next-hop, 8.8.8.8

!!!!! please do not hide public IPs like 24.x.x.x, either replace them with other IPs or make sure that hidden IPs are represented with same signs, thanks !!!!!

If you perform double NAT, can you also provide config of 3825 router?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

I am performing NAT on the ASA and on the 3825; ISP -> ASA 10.1.1.0/27 -> Router 192.168.1.0/26

- Ping from ASA to ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward192.168.1.60ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward does not work, another issue, here's the ASA log as it scrolls;

  • Denied ICMP type=0, code=0 from 10.1.1.1 on interface inside
  • Denied ICMP type=0, from laddr 10.1.1.1 on interface inside to 10.1.1.30: no matching session
  • Built inbound ICMP connection for faddr 10.1.1.1/0 gaddr 10.1.1.30/29878 laddr 10.1.1.30/29878
  • Built outbound ICMP connection for faddr 192.168.1.60/0 gaddr 10.1.1.30/29878 laddr 10.1.1.30/29878
  • Built local-host inside:192.168.1.60

- FF# packet-tracer input outside tcp 8.8.8.8 26154 192.168.1.60 22222 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb14fb28, priority=1, domain=permit, deny=false

        hits=78854759, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=outside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.192 inside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group ACL-OUTSIDE-IN in interface outside

access-list ACL-OUTSIDE-IN extended deny ip any any log

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcad35bd0, priority=13, domain=permit, deny=true

        hits=821, user_data=0xc9187dd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

- show conn and show xlate

      Running these commands resulted in very long outputs with no reference  to 192.168.1.60 when initiating an SFTP connection from 'outside'.

- FF# sho route

Gateway of last resort is 24.120.120.1 to network 0.0.0.0

O    172.16.1.0 255.255.255.240 [110/11] via 10.1.1.1, 290:33:34, inside

C    24.120.120.0 255.255.240.0 is directly connected, outside

C    10.1.1.0 255.255.255.224 is directly connected, inside

O    192.168.1.0 255.255.255.192 [110/11] via 10.1.1.1, 290:33:34, inside

d*   0.0.0.0 0.0.0.0 [1/0] via 24.120.120.1, outside

- please verify that you can reach internet from ASA, ping next-hop, 8.8.8.8

      I cannot ping internally or externally from the ASA but I do have  internet connection as the ASA is currently connected and I have no  connectivity issues.

- I am not really certain  what you meant by hiding the public IP and the different signs so I just  manipulated the public IP's. I am including the config for the ASA and  the 3825 below, thanks again for your help and please let me know what  else I need to provide...

ASA Version 9.0(2)

!

hostname FF

enable password 4.x70RVTq0ba.OJq encrypted

xlate per-session permit tcp any4 any4

xlate per-session permit tcp any4 any6

xlate per-session permit tcp any6 any4

xlate per-session permit tcp any6 any6

xlate per-session permit udp any4 any4 eq domain

xlate per-session permit udp any4 any6 eq domain

xlate per-session permit udp any6 any4 eq domain

xlate per-session permit udp any6 any6 eq domain

passwd 1KFQnaNQdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 5

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan5

mac-address 001c.71a5.fa40

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan10

nameif inside

security-level 100

ip address 10.1.1.30 255.255.255.224

!

boot system disk0:/asa902-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 198.153.192.40

name-server 198.153.194.40

object network DNAT_3825

object network INTERNAL_LAN

subnet 10.1.1.0 255.255.255.224

object network NAS_SFTP

host 192.168.1.60

description NAS SFTP - Port 2222

object service PORT_2222

service tcp source eq 2222 destination eq 2222

description NAS SFTP - Port 2222

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list ACL-OUTSIDE-IN extended permit tcp any object NAS_SFTP eq 2222 log

access-list ACL-OUTSIDE-IN extended deny ip any any log

access-list ACL-INSIDE-IN extended permit ip any any log

access-list ACL-INSIDE-IN extended permit icmp any any echo-reply log

access-list ACL-INSIDE-IN extended permit icmp any any echo log

access-list ACL-INSIDE-IN extended permit icmp any any log

access-list ACL-INSIDE-OUT extended permit icmp any any echo-reply log

access-list ACL-INSIDE-OUT extended permit icmp any any echo log

access-list ACL-INSIDE-OUT extended permit icmp any any log

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

icmp permit any inside

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network NAS_SFTP

nat (inside,outside) static interface no-proxy-arp service tcp 2222 2222

!

nat (inside,outside) after-auto source dynamic any interface dns

access-group ACL-OUTSIDE-IN in interface outside

access-group ACL-INSIDE-IN in interface inside

access-group ACL-INSIDE-OUT out interface inside

!

router ospf 1

network 10.1.1.0 255.255.255.224 area 0

network 192.168.1.0 255.255.255.192 area 0

log-adj-changes

default-information originate always metric 1

!

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http server idle-timeout 60

http server session-timeout 90

http 192.168.1.0 255.255.255.192 inside

http 10.1.1.0 255.255.255.224 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.1.0 255.255.255.192 inside

ssh timeout 60

ssh version 2

console timeout 0

dhcp-client client-id interface outside

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.1.1.1 source inside

ntp server 129.6.15.29 source outside prefer

webvpn

anyconnect-essentials

username cisco password vAf1q1H.ah.rqbDS encrypted privilege 15

username lab password n/pkFOGPjV0mLSxt encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:1271f9da71948856f63e44e7268f48fa

: end

__________________________________________________________________________________

Cisco Router 3825

version 15.1

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RR

!

boot-start-marker

boot system flash:c3825-adventerprisek9_ivs-mz.151-4.M6.bin

boot-end-marker

!

!

security authentication failure rate 3 log

logging buffered 51200

logging console critical

enable secret 4 1hdl2t2GTwuAChFnEIcCj0Iz7JBCJX01rwUvTaQTL7k

enable password 7 1057990D5505120F0801

!

no aaa new-model

!

clock timezone CST -6 0

clock summer-time CDT recurring

!

dot11 syslog

no ip source-route

!

ip cef

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.4

ip dhcp excluded-address 192.168.1.51 192.168.1.62

ip dhcp excluded-address 172.16.1.1

ip dhcp excluded-address 172.16.1.14

!

ip dhcp pool DHCP_192.168.1.0/26

network 192.168.1.0 255.255.255.192

dns-server 192.168.1.1

default-router 192.168.1.1

domain-name ciscolab.local

!

ip dhcp pool VOICE_LAN

import all

network 172.16.1.0 255.255.255.240

default-router 172.16.1.1

dns-server 192.168.1.1

domain-name ciscolab.local

option 150 ip 172.16.1.1

!

!

no ip bootp server

ip domain name ciscolab.local

ip name-server 198.153.192.40

ip name-server 198.153.194.40

ip inspect log drop-pkt

ip inspect tcp reassembly queue length 128

ip inspect tcp reassembly timeout 10

no ipv6 cef

!

multilink bundle-name authenticated

!

!

parameter-map type inspect global

log dropped-packets enable

parameter-map type ooo global

tcp reassembly queue length 64

tcp reassembly memory limit 4096

tcp reassembly alarm off

!

voice-card 0

!

!

voice service voip

ip address trusted list

ipv4 64.237.39.42

ipv4 64.237.39.30

allow-connections sip to sip

no supplementary-service h450.2

no supplementary-service h450.3

no supplementary-service h450.7

no supplementary-service sip moved-temporarily

no supplementary-service sip refer

no supplementary-service sip handle-replaces

redirect ip2ip

sip

bind control source-interface GigabitEthernet0/1.20

bind media source-interface GigabitEthernet0/1.20

session transport tcp

registrar server

!

voice class codec 1

codec preference 1 g711ulaw

!

!

voice register global

mode cme

source-address 172.16.1.1 port 5060

max-dn 25

max-pool 25

load 7960-7940 P0S3-8-12-00

authenticate register

tftp-path flash:

create profile sync 0020174213302002

!

voice register dn 1

number 1001

name EXT1

label EXT1

!

voice register dn 2

number 1002

name EXT2

label EXT2

!

voice register pool 1

id mac 000F.BA70.EABD

type 7960

number 1 dn 1

username EXT1 password 1234

!

voice register pool 2

id mac 000C.AC60.EC61

type 7960

number 1 dn 2

username EXT2 password 1234

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2466671023

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2466671023

revocation-check none

rsakeypair TP-self-signed-2466671023

!

!

crypto pki certificate chain TP-self-signed-2466671023

certificate self-signed 01

!

!

license udi pid CISCO3825 sn FTI1017A0NT

archive

log config

hidekeys

username cisco privilege 15 password 7 0701282A1E1D310F12

username lab privilege 15 password 7 071111581C1B1A041317

!

redundancy

!

!

ip tcp synwait-time 10

!

!

interface Loopback0

description $FW_INSIDE$

ip address 99.99.99.99 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description OUTSIDE TO ASA$ETH-WAN$

ip address 10.1.1.1 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in max-reassemblies 64

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1.10

description DATA_VLAN$ETH-LAN$

encapsulation dot1Q 10

ip address 192.168.1.1 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1460

!

interface GigabitEthernet0/1.20

description VOICE_VLAN$ETH-LAN$

encapsulation dot1Q 20

ip address 172.16.1.1 255.255.255.240

ip nbar protocol-discovery

ip flow ingress

ip flow egress

!

router ospf 1

network 10.1.1.0 0.0.0.31 area 0

network 172.16.1.0 0.0.0.15 area 0

network 192.168.1.0 0.0.0.63 area 0

default-information originate

!

ip forward-protocol nd

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat pool DHCP_192.168.1.0/26 192.168.1.1 192.168.1.62 netmask 255.255.255.192

ip nat inside source list 1 interface GigabitEthernet0/0 overload

!

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_OSPF

remark CCP_ACL Category=1

permit ospf any any

!

logging trap debugging

logging 192.168.1.60

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.63

!

!

tftp-server flash:/P0S3-8-12-00/P0S3-8-12-00.loads alias P0S3-8-12-00.loads

tftp-server flash:/P0S3-8-12-00/P0S3-8-12-00.sb2 alias P0S3-8-12-00.sb2

tftp-server flash:/P0S3-8-12-00/P003-8-12-00.bin alias P003-8-12-00.bin

tftp-server flash:/P0S3-8-12-00/P003-8-12-00.sbn alias P003-8-12-00.sbn

tftp-server flash:/SIP/SEP000DBC80EABD.cnf alias SEP000DBC80EABD.cnf

tftp-server flash:/SIP/SEP000DBC80EB61.cnf alias SEP000DBC80EB61.cnf

tftp-server flash:/SIP/XMLDefault.cnf alias XMLDefault.cnf

!

control-plane

!

!

mgcp fax t38 ecm

!

mgcp profile default

!

!

sip-ua

credentials number 13141234123 username GV13141234123 password 7 14123B1F26140672742E37252140 realm GVGW

authentication username GV13141234123 password 7 021E11674B2C56714A4A191A56

registrar dns:gvgw3.simonics.com:5070 expires 1800 tcp

sip-server dns:gvgw3.simonics.com:5070

!

!

gatekeeper

shutdown

!

!

telephony-service

no auto-reg-ephone

pin 0000 override

max-dn 25

ip source-address 172.16.1.1 port 2000

max-redirect 5

system message ciscolab

cnf-file location flash:

max-conferences 12 gain -6

web admin system name cisco secret 5 $0$LEFH$00Kx0vw4FlNCZvO2KypRh.

transfer-system full-consult

create cnf-files version-stamp 7960 Apr 14 2013 02:39:02

!

!

line con 0

exec-timeout 0 0

password 7 067366111F5A581710

logging synchronous

line aux 0

line vty 0 4

access-class 102 in

exec-timeout 0 0

privilege level 15

password 7 10400F005501131509

login local

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

ntp master

ntp update-calendar

ntp server time.nist.gov prefer

end

Hello,

You are missing three things:

- static port forward on 3825

ip nat inside source static tcp 192.168.1.60 23 10.1.1.1 2222 extendable

- correctly configured NAS_SFTP on ASA

object network NAS_SFTP

host 10.1.1.1

! remember, server is behind NAT, so ASA knows this server as 10.1.1.1

- allow traffic in ACL

access-list ACL-INSIDE-OUT extended permit tcp any object NAS_SFTP eq 2222

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

I ran the 3 commands on the specified device but I am still receiving the following error in the ASA and I cannot connect;

6May 14 201306:57:51
10.1.1.19156

Failed to locate egress interface for TCP from inside:10.1.1.1/9156 to 24.120.120.229/2222

This is the output from the ASA. Nothing else changed aside from the 3 lines you suggested, thank you...

- FF# packet-tracer input outside tcp 8.8.8.8 26154 192.168.1.60 2222 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb14fb28, priority=1, domain=permit, deny=false

        hits=80158375, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=outside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.192 inside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group ACL-OUTSIDE-IN in interface outside

access-list ACL-OUTSIDE-IN extended deny ip any any log

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcad35bd0, priority=13, domain=permit, deny=true

        hits=1093, user_data=0xc9187dd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hello,

You are mixing two approaches together. Either you configure single NAT on ASA or you configure double NAT, one on ASA and second on 3845.

You said that you chose second approach to perform double NAT. It means that 192.168.1.0/26 should be hidden behind 10.1.1.1 IP, but I can see OSPF routes for both 192.168.1.0/26 and 172.16.1.0/28 in ASA routing table. You have to choose on approach and stick with it!

So please choose which way you want to continue and in meantime please upload output of:

FF# packet-tracer input outside tcp 8.8.8.8 26154 10.1.1.1 2222

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

I don't mind keeping the 192.168.1.0/26 route and just getting this to work. I did remove that route but still nothing. This is the result in the ASDM log;

w/o network 192.168.1.0 255.255.255.192 area 0 - Failed to locate egress interface for TCP from inside:10.1.1.1/18470 to 24.120.120.229/2222

w/ network 192.168.1.0 255.255.255.192 area 0 - Failed to locate egress interface for TCP from inside:10.1.1.1/18523 to 24.120.120.229/2222

FF# packet-tracer input outside tcp 8.8.8.8 26154 10.1.1.1 2222            

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.1.0        255.255.255.224 inside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL-OUTSIDE-IN in interface outside

access-list ACL-OUTSIDE-IN extended permit tcp any object NAS_SFTP eq 2222 log

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL-INSIDE-IN out interface inside

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network NAS_SFTP

nat (inside,outside) static interface no-proxy-arp service tcp 2222 2222

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: