05-11-2024 06:36 AM
I learning how to set-up firewall and came accross such a problem when trying to connect through web-browser to DMZSERV : 3. The packet is coming from an outside network. The device looks up its NAT table for necessary translations. 4. The packet is destined to the local (untranslated) address in a NAT statement. The NAT RPF drops the packet. I know my ACL names are kinda strange, but that's not that the problem. I read somewhere to make 1:1 NAT and did, but still no connection. Here's my asa config:
hostname ASAFW
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface GigabitEthernet1/1
nameif OUTSIDE
security-level 5
ip address 200.200.200.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif INSIDE
security-level 100
ip address 172.30.25.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 201.201.201.1 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
object network DMZ
subnet 201.201.201.0 255.255.255.0
nat (DMZ,OUTSIDE) dynamic interface
object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static 200.200.200.1
object network NAT
subnet 172.30.25.0 255.255.255.0
nat (INSIDE,OUTSIDE) dynamic interface
object network WEB
host 202.202.202.2
!
route OUTSIDE 0.0.0.0 0.0.0.0 200.200.200.2 1
!
access-list FOR_DMZ extended permit tcp any object DMZSERV eq www
access-list FOR_DMZ extended permit tcp any object NAT
access-list FOR_DMZ_IN extended deny icmp object DMZSERV object NAT
access-list FOR_DMZ_IN extended permit ip any any
!
!
access-group FOR_DMZ in interface OUTSIDE
access-group FOR_DMZ_IN in interface DMZ
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
Solved! Go to Solution.
05-14-2024 02:52 AM
@Dmytro Chupil, did you succeed?
05-11-2024 10:48 AM
Delete below
object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static 200.200.200.1
Add this instead
Nat(dmz'outside) source static <object of real IP> <object of mapped IP>
MHM
05-11-2024 11:08 AM
Asa says unknown command at word "source"
05-11-2024 11:20 AM
Can you share screenshots
MHM
05-11-2024 11:54 AM
05-12-2024 02:29 AM - edited 05-12-2024 02:52 AM
If that so' it can packet tracer limitations
You need to re-range order
Remove all NAT and config NAT in below order
Step2
object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static 200.200.200.1
Step1
object network DMZ
subnet 201.201.201.0 255.255.255.0
nat (DMZ,OUTSIDE) dynamic interface
Then make double check by
Show run nat or show nat
You need always see static NAT is first NAT in list
MHM
05-12-2024 02:43 AM
05-12-2024 02:53 AM - edited 05-12-2024 04:28 AM
As I mention in show run nat' ypu need to see static NAT in top list' what I see is same the static come after dynamic.
Clear config and reconfig it again
I edit the steps in my previous comment
Your issue will solve when you see staitc NAT in top list. Do steps as I mentioned and try, keep notice this packet tracer abd there is many limitations.
MHM
05-12-2024 03:46 AM
@MHM Cisco World, what you're saying is completely wrong. Object NAT execution order doesn't depend on the order in which objects appear in the configuration. Kindly read documentation before replying to the forum:
05-12-2024 02:02 AM - edited 05-12-2024 03:54 AM
object network DMZ
subnet 201.201.201.0 255.255.255.0
nat (DMZ,OUTSIDE) dynamic interface
object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static 200.200.200.1
The address 200.200.200.1 belongs to the outside interface of the firewall, hence you cannot use it for static NAT like this. On the other hand, you cannot remove static NAT statement completely, because the dynamic NAT rule for the subnet will come into play, and if you access 201.201.201.2 without NAT, the packet to the 201.201.201.2 would be dropped by NAT RPF check (what you observed earlier). So, you have two options here: 1) either choose another IP address for static NAT (e.g. 200.200.200.11) or 2) do port redirection if you need to publish single port on the outside, e.g.:
object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static interface service tcp 443 443
In this case single TCP port is allocated on the outside interface IP address.
05-12-2024 02:35 AM
05-12-2024 03:40 AM
1. If you changed to 200.200.200.11 and still see the error, provide packet-tracer output.
I don't see the "interface" keyword on the screenshot.
05-12-2024 03:59 AM
About first point, could you specify me what to do, because I do not understand you fully
05-13-2024 04:54 AM
@Dmytro Chupil, which version are you running (show ver)? Because static NAT to "interface" should work just fine. Below is from my test ASA:
ASA(config)# object network obj-1.1.1.1
ASA(config-network-object)# nat (inside,outside) ?
network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ASA(config-network-object)# nat (inside,outside) static ?
network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface Use interface address as mapped IP
ASA(config-network-object)# nat (inside,outside) static interface ?
network-object mode commands/options:
dns Use the created xlate to rewrite DNS record
ipv6 Use IPv6 address(es) as mapped IP(s)
net-to-net Use Net to net mapping of IPv4 to IPv6 address(es)
no-proxy-arp Disable proxy ARP on the egress interface
route-lookup Perform route lookup for this rule
service Define port mapping
<cr>
ASA(config-network-object)# nat (inside,outside) static interface service ?
network-object mode commands/options:
sctp SCTP to be used as transport protocol
tcp TCP to be used as transport protocol
udp UDP to be used as transport protocol
ASA(config-network-object)# nat (inside,outside) static interface service tcp 80 80
Packet-tracer:
packet-tracer input OUTSIDE tcp 1.2.3.4 12345 200.200.200.11 80 detail
Above is for the following case:
object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static 200.200.200.11
The packet-tracer will generate a packet with the 1.2.3.4/12345 as a source and 200.200.200.11/80 as a destination and display how software processes it.
HTH
05-13-2024 05:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide