Solved: Problem with PAT ASA 5510 IOS 9.1.(3)

zero_cool83 · ‎11-29-2019

Hello guys.

I have an strange problem wit ASA 5510 NAT settings.

We have one local network:

object network Local_Office_Network
subnet 172.16.0.0 255.255.248.0
description Local Network

and one ISP: 134.17.5.142

The main problem when I try to setup PAT to specific server inside the local network from outside:

object network RocketPAT
nat (inside,mts-out) static interface no-proxy-arp service tcp https 8443

It's not work, I always saw in Debug logging:

7

Nov 29 2019

19:45:33

710005

178.127.193.130

56795

134.17.5.142

8443

TCP request discarded from 178.127.193.130/56795 to mts-out:134.17.5.142/8443

I will give the main parts of the configuration below:

object network RocketPAT
host 172.16.0.100

...

access-list Beltelecom_access_in extended permit tcp any object Rocket_Server eq https log debugging

...

nat (Wifi,mts-out) source dynamic any interface
nat (any,any) source static VPN VPN destination static Local_Office_Network Local_Office_Network
nat (CORP,inside) source static any any dns no-proxy-arp route-lookup
nat (inside,mts-out) source dynamic any interface
!
object network RocketPAT
nat (inside,mts-out) static interface no-proxy-arp service tcp https 8443

Could you tell me what is wrong. Thanks in advance!

zero_cool83 · ‎12-01-2019

Solved!

Deleted first rule NAT in section 1:

nat (CORP,inside) source static any any dns no-proxy-arp route-lookup

all old lists were cleared

clear configure access-list

and the correct NAT was configured for the network object:

object network server-rocket
access-list outside_acl extended permit tcp any object server-rocket eq 3000

nat (inside,mts-out) static interface service tcp 3000 3000

access-list outside_acl extended permit tcp any object server-rocket eq 3000
access-group outside_acl in interface mts-out

Many thanks to everyone who helped and participated!!!

Most likely, the reason was in the dump of old access lists, which ASA always sins ... It was necessary to delete everything initially).

View solution in original post

Georg Pauwen · ‎11-29-2019

Hello,

try and use the simplified syntax below:

access-list Beltelecom_access_in extended permit tcp any object RocketPAT eq 443
access-list Beltelecom_access_in extended permit tcp any object RocketPAT eq 8443
!
object network RocketPAT
host 172.16.0.100
nat (inside,mts-out) static interface service tcp 443 8443

zero_cool83 · ‎11-29-2019

I did it, thanks but the same.

I have the impression that I have incorrect exclude the local traffic from NAT

nat (inside,mts-out) source dynamic Local_Office_Network interface

But without this, I do not have Internet access from the local network

Georg Pauwen · ‎11-29-2019

Hello,

which traffic (source/destination) do you want to send over the VPN ? Is the VPN actually working ?

paul driver · ‎11-30-2019

Hello

As you have a any any in your NAT acl then that acl shouldn't be negating anything, your static nat config also looks applicable.

Can you post the results of the below please

show xlate | in 8443

packet-tracer input inside tcp 172.16.0.100 443 <--public ip> 8443

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zero_cool83 · ‎11-30-2019

Hello.

Result of the command: "show xlate | in 8443"

TCP PAT from inside:172.16.0.100 443-443 to outside:134.17.5.142 8443-8443
UDP PAT from inside:172.16.0.254/48443 to outside:134.17.5.142/48443 flags ri idle 0:00:08 timeout 0:00:30

and next

Result of the command: "packet-tracer input inside tcp 172.16.0.100 443 134.17.5.142 8443"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 134.17.5.142 255.255.255.255 identity

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 134.17.5.142 255.255.255.255 identity

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Georg Pauwen · ‎11-30-2019

Hello,

the line 'ip address dhcp setroute' should in theory put a default route into your routing table. Does that default route show up when you do a 'show route' ?

zero_cool83 · ‎11-30-2019

Something like that:

S 172.16.0.0 255.255.248.0 [1/0] via 172.16.0.2, inside
C 172.16.0.0 255.255.255.0 is directly connected, inside
C 134.17.4.0 255.255.252.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 134.17.4.1, outside

Georg Pauwen · ‎11-30-2019

Hello,

I cannot really figure out how your VPN is set up. For the sake of testing, just leave the two NAT lines in your config, and take the other ones out...

nat (Wifi,mts-out) source dynamic any interface
--> no nat (any,any) source static VPN VPN destination static Local_Office_Network Local_Office_Network
--> no nat (CORP,inside) source static any any dns no-proxy-arp route-lookup
nat (inside,mts-out) source dynamic any interface

zero_cool83 · ‎11-30-2019

Full picture:

Manual NAT Policies (Section 1)
1 (Wifi) to (outside) source dynamic any interface
translate_hits = 37, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 134.17.5.142/22
2 (any) to (inside) source dynamic VPN interface destination static Local_Office_Network Local_Office_Network
translate_hits = 547, untranslate_hits = 661
Source - Origin: 172.16.100.0/24, Translated: 172.16.0.1/24
Destination - Origin: 172.16.0.0/21, Translated: 172.16.0.0/21
3 (inside) to (outside) source dynamic Local_Office_Network interface
translate_hits = 58643, untranslate_hits = 22471
Source - Origin: 172.16.0.0/21, Translated: 134.17.5.142/22

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Rocket interface service tcp https 8443
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.0.100/32, Translated: 134.17.5.142/22
Service - Protocol: tcp Real: https Mapped: 8443

Manual NAT Policies (Section 3)
1 (inside) to (outside) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-0.0.0.0 obj-0.0.0.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/32, Translated: 0.0.0.0/32
Destination - Origin: 0.0.0.0/32, Translated: 0.0.0.0/32

Georg Pauwen · ‎11-30-2019

Hello,

your CORP interface is shutdown, is that a typo ? Does your WEBVPN actually work ?

As far as I can tell, only the below NAT is needed.

object network VPN
subnet 172.16.100.0 255.255.255.0
nat (mts-out,mts-out) dynamic interface dns

!

nat (Wifi,mts-out) source dynamic any interface
nat (inside,mts-out) source static LOCAL_OFFICE_NETWORK LOCAL_OFFICE_NETWORK destination static VPN VPN
nat (inside,mts-out) source dynamic any interface

zero_cool83 · ‎11-30-2019

I applied your rules by deleting mine. Everything works fine regarding the local Internet and Wi-Fi.

But I still get "packet-tracer input inside tcp 172.16.0.100 443 134.17.5.142 8443"

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

zero_cool83 · ‎11-30-2019

This interface is really off.
Yes, I have AnyConnect configured and it really works from the outside.

Georg Pauwen · ‎11-30-2019

Hello,

make the changes I suggested anyway, the webvpn should still work...

Obviously don't forget to add the static NAT entry, that's what it is all about...

zero_cool83 · ‎11-30-2019

Thanks, I checked - the VPN is working fine).

But the question is not about VPN).

I tried to transfer some services from the Internet to the internal LAN:

object network Rocket
nat (inside,outside) static interface service tcp https 8085

This part is not work from my home, from outside.

I even changed the port from 8443 just in case. I want to get to the local office server by port and external address.