Hi Santhosha,

             Thanks for reply, sure would share the outputs which you have asked for,

nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.X.X.130 destination static SCE SCE (This is the PAT which has been done traffic source from my end)

nat (BasicYellow,Management) static 115.X.X.X

nat (BasicYellow,DemoCollaRestricted) static 115.X.X.X

nat (BasicYellow,DemoCollaGeneral) static 115.X.X.X

nat (BasicYellow,BlueYellowRed) static 115.X.X.X

nat (DemoCollaRestricted,DemoCollaGeneral) static 10.X.X.X

nat (DemoCollaRestricted,BasicYellow) static 10.X.X.X

nat (DemoCollaRestricted,BlueYellowRed) static 10.X.X.X

nat (DemoCollaGeneral,Management) static 115.X.X.X

nat (DemoCollaGeneral,DemoCollaRestricted) static 115.X.X.X

nat (DemoCollaGeneral,BasicYellow) static 115.X.X.X

nat (DemoCollaGeneral,BlueYellowRed) static 115.X.X.X

nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39  (This was the last line which I configured for the bi-directional flow. Tried to use the Static NAT to PAT transalation.

sh crypto ipsec sa peer 192.X.X.X

peer address: 192.X.X.X

    Crypto map tag: XXXXXX, seq num: 40, local addr: 115.X.X.250

      access-list vpn2scepat extended permit ip host 115.X.X.130 172.X.X.X 255.X.X.X

      local ident (addr/mask/prot/port): (115.X.X.130/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (172.X.X.X/255.X.X.X/0/0)

      current_peer: 192.X.X.X

      #pkts encaps: 6356, #pkts encrypt: 6356, #pkts digest: 6356

      #pkts decaps: 5912, #pkts decrypt: 5910, #pkts verify: 5910

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 6356, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 2

      local crypto endpt.: 115.X.X.250/0, remote crypto endpt.: 192.X.X.X/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 43E85D64

      current inbound spi : E88F22C4

    inbound esp sas:

      spi: 0xE88F22C4 (3901694660)

         transform: XXXXXXXXX no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 11669504, crypto-map: XXXXXXX

         sa timing: remaining key lifetime (kB/sec): (3914977/10631)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x43E85D64 (1139301732)

         transform:XXXXXXXXX no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 11669504, crypto-map: XXXXXXX

         sa timing: remaining key lifetime (kB/sec): (3914981/10631)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: XXXXXXXX, seq num: 40, local addr: 115.X.X.250

      access-list vpn2scepat extended permit ip host 115.X.X.130 172.X.X.X 255.X.X.X

      local ident (addr/mask/prot/port): (115.X.X.130/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (172.16.0.0/255.X.X.X/0/0)

      current_peer: 192.212.254.68

      #pkts encaps: 5009, #pkts encrypt: 5009, #pkts digest: 5009

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5009, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 115.X.X.250/0, remote crypto endpt.: 192.X.X.X/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: A8E735ED

      current inbound spi : 43D8A4A8

    inbound esp sas:

      spi: 0x43D8A4A8 (1138271400)

         transform: XXXXXXXXXXXXXXX no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 11669504, crypto-map: XXXXXXX

         sa timing: remaining key lifetime (kB/sec): (3915000/10631)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xA8E735ED (2833724909)

         transform: XXXXX XXXXXXXXX no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 11669504, crypto-map: XXXXXX

         sa timing: remaining key lifetime (kB/sec): (3914752/10630)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Hi Vinay,

nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39 

(This was the last line which I configured for the bi-directional flow. Tried to use the Static NAT to PAT transalation.

Could you please elaborate on your exact static NAT requirement? I believe you are tryinf to use same NAT IP for both PAT and static NAT right?

Also send me packet-tracer output for non-working packet(one supposed to take static NAT) .

Thanks

Hi Santhosha,

       To brief you exactly what I have done till now,

1. We have a S2S VPN configuration done between our device and customer device.

2. We have used a PAT configuration, where in all my internal subnets would get PATed to this ip address and then land on

    the customer end.

3. This perfectly works fine with out any issues.

4. Below is the configuration for that,

nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.X.X.130 destination static SCE SCE

5.  This works perfectly fine when the origination of traffic or tunnel is from our end.

6. Now the ask is the customer wants to originate the traffic from his end and the tunnel needs to come up and traffic needs to flow through the tunnel.

7. For this I tried out an option which was called as Static NAT to PAT translation, which was this

nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39

where in the end user would initiate a traffic to one of my internal server on port 1xx39.  In this Static NAT to PAT translation I am keeping the same PAT ip 115.x.x.130 which I had used earlier for the initiation of traffic from our end.

8.  Below is the output which you had asked for,

# packet-tracer input Outside tcp 115.X.X.130 2000 10.X.X.52 1$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.x.x.0       255.X.X.0   BlueYellowRed

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group Outside in interface Outside

access-list Outside extended deny ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2245efb8, priority=13, domain=permit, deny=true

    hits=305348, user_data=0x1cb36200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

    src ip/id=0.0.0.0, mask=0.0.0.0, port=0

    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    input_ifc=Outside, output_ifc=any

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: BlueYellowRed

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

It looks to be dropping on the ACL, but not totally convincing on the output which is shown here..

Hi Vinay,

The sttaic NAT/PAT rule configured is incomplete, you have not configured inside host for this static NAT/PAT ip.

It should be:

For pre-8.3:

static (BlueYellowRed,Outside) tcp <inside host port> netmask 255.255.255.255

For 8.3 and above:

object network obj-
   host 
   nat (BlueYellowRed,Outside)  static  service tcp  

And for vpn traffic always run packet-tracer in outbound direction, you can simulate traffic in inbound direction , since ASA always expects the traffic to be encrypted. Correct the NAT rule and colelct the packet-tracer output detail in outboound direction (for response traffic).

Thanks,

Santhosh

Hi Santhosha,

      Please find the details,

object network obj-115.X.X.130

host 115.X.X.130

object network DevTestServer

nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39

Below is the output which you had asked for, hope this would help you..

d4t-fr-5550pr# packet-tracer input BlueYellowRed tcp 10.X.X.52 2XXX 172.X.X.X

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.X.X.130 destination static SCE SCE

Additional Information:

NAT divert to egress interface Outside

Untranslate 172.X.X.167/1XX39 to 172.X.X.167/1XX39

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.X.X.0       255.X.X.X   BlueYellowRed

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group BlueYellowRed in interface BlueYellowRed

access-list BlueYellowRed extended permit tcp object-group source3 object-group SCE object-group SCEPorts

object-group network source3

description: host

network-object host 10.X.X.52

network-object host 10.X.X.53

network-object host 10.X.X.54

network-object host 10.X.X.55

network-object host 10.X.X.56

network-object host 10.X.X.57

object-group network SCE

description: "SCE LAN"

network-object 172.X.X.0 255.X.X.X

network-object 172.X.X.0 255.X.X.X

network-object 192.X.X.0 255.X.X.X

network-object 155.X.X.0 255.X.X.X

network-object 163.X.X.0 255.X.X.X

network-object 192.X.X.0 255.X.X.X

network-object 192.X.X.0 255.X.X.X

network-object 192.X.X.0 255.X.X.X

network-object 192.X.X.0 255.X.X.X

network-object 172.X.X.0 255.X.X.X

network-object 192.X.X.0 255.X.X.X

object-group service SCEPorts tcp

description: "SCE Port"

port-object eq 1XX39

port-object eq XXXX

port-object eq XXXX

port-object eq XXXX

port-object eq XXXX

port-object eq XXXX

port-object eq XXXX

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x239b8388, priority=13, domain=permit, deny=false

        hits=469, user_data=0x1cafaf80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

    src ip/id=10.X.X.52, mask=255.X.X.X, port=0

    dst ip/id=172.X.X.0, mask=255.X.X.X, port=10039, dscp=0x0

    input_ifc=BlueYellowRed, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x21455bd0, priority=0, domain=inspect-ip-options, deny=true

    hits=2403478, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip/id=0.0.0.0, mask=0.0.0.0, port=0

    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    input_ifc=BlueYellowRed, output_ifc=any

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x21427520, priority=20, domain=lu, deny=false

    hits=2436408, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

    src ip/id=0.0.0.0, mask=0.0.0.0, port=0

    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    input_ifc=BlueYellowRed, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.254.8.130 destination static SCE SCE

Additional Information:

Dynamic translate 10.X.X.52/2000 to 115.X.X.130/2000

Forward Flow based lookup yields rule:

in  id=0x239a3078, priority=6, domain=nat, deny=false

    hits=177651, user_data=0x21551798, cs_id=0x0, flags=0x0, protocol=0

    src ip/id=10.X.X.0, mask=255.X.X.X, port=0

    dst ip/id=172.X.X.0, mask=255.X.X.X, port=0, dscp=0x0

    input_ifc=BlueYellowRed, output_ifc=Outside

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x23eae4a0, priority=70, domain=encrypt, deny=false

    hits=3269, user_data=0x7262b1c, cs_id=0x21d9fec8, reverse, flags=0x0, protocol=0

    src ip/id=115.X.X.130, mask=255.X.X.X, port=0

    dst ip/id=172.X.X.0, mask=255.X.X.X, port=0, dscp=0x0

    input_ifc=any, output_ifc=Outside

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.X.X.130 destination static SCE SCE

Additional Information:

Forward Flow based lookup yields rule:

out id=0x213bac40, priority=6, domain=nat-reverse, deny=false

    hits=177617, user_data=0x2137f790, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

    src ip/id=10.X.X.0, mask=255.X.X.X, port=0

    dst ip/id=172.X.X.X.0, mask=255.X.X.X, port=0, dscp=0x0

    input_ifc=BlueYellowRed, output_ifc=Outside

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x2280f310, priority=70, domain=ipsec-tunnel-flow, deny=false

    hits=3276, user_data=0x7264a1c, cs_id=0x21d9fec8, reverse, flags=0x0, protocol=0

    src ip/id=172.X.X.0, mask=255.X.X.X, port=0

    dst ip/id=115.X.X.130, mask=255.X.X.X, port=0, dscp=0x0

    input_ifc=Outside, output_ifc=any

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x1b2e73a0, priority=0, domain=inspect-ip-options, deny=true

    hits=3551531, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    input_ifc=Outside, output_ifc=any

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4090276, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: BlueYellowRed

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

Hi Vinay,

I still see the traffic taking dynamic pat rule, I dont see host configured under the static nat/pat object rule:

object network DevTestServer

host 10.X.X.52<<<<<<<<<<<<<<<<<<<<<<<

nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39

To check this using packet-tracer following should be the packet format:

packet-tracer input BlueYellowRed tcp 10.X.X.52 1XX39 172.X.X.X detailed

Thanks.

Santhosha, this Static NAT to PAT translation rule which I have put is only for the traffic to come in, i.e for the traffic originating from the other end of the Site to Site tunnel.

object network DevTestServer

host  10.X.X.52<<<<<<<<<<<<<<<<<<<<<<<

nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39

I am not exactly sure if this configuration works out as such.. Just for a try I have put in this configs..

Note:  I have used a PAT rule for the traffic originating from my end of the S2S tunnel.  Here I am the initiator of the S2S.

In the above Static NAT to PAT translation rule the other end is the initiator and I would be the responder.

Hi Vinay,

If you dont specify the inside host ,how would  ASA know to which inside host it should be forwarding traffic to?

Thanks

Santhosha, if you see my below output, I have mentioned the inside host ip,

10.x.x.52 is my inside hold to which 115.x.x.130 ip which is used for the translation.

object network DevTestServer

host   10.X.X.52<<<<<<<<<<<<<<<<<<<<<<<

nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39

Hi Vinay,

I was trying to explain you why we need to specify inside host :-)

Can you send me packet-tracer ouput:

packet-tracer input BlueYellowRed tcp 10.X.X.52 1XX39 172.X.X.X detailed

Thanks:

Santhosha, please find the output,

d4t-fr-5550pr# packet-tracer input BlueYellowRed tcp 10.X.X.52 10039 172.X.X

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.X.X.130 destination static SCE SCE

Additional Information:

NAT divert to egress interface Outside

Untranslate 172.X.X.X/2000 to 172.X.X.X/2000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.X.X.0       255.X.X.X   BlueYellowRed

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group BlueYellowRed in interface BlueYellowRed

access-list BlueYellowRed extended deny ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2205c2d0, priority=13, domain=permit, deny=true

    hits=95706, user_data=0x1cb2f780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

    src ip/id=0.0.0.0, mask=0.0.0.0, port=0

    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    input_ifc=BlueYellowRed, output_ifc=any

Result:

input-interface: BlueYellowRed

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Vinay,

whats the ASA code? Can you send "sh run " from ASA?

Santhosha,   the ASA code is

Software Version 8.4(5)6.

Request you to let me know your personal ID to which I can send it across Santhosha, rather than sharing it across here..