Static NAT doesn't seems work

Unanswered Question
Oct 21st, 2007
User Badges:

Hi,


I'm trying to create a static NAT for an outside server to access an inside server

static (inside,outside) a.b.c.d 1.2.3.4 netmask 255.255.255.255


Xlate table shows that static NAT took place


Packet capture shows the destination IP address becomes 0.0.0.0, which really puzzles me.

Is someone able to shed some light on this?


Thanks


/chunsing

-----------------------------

ASA# sh cap ACS trace

42 packets captured

1: 10:58:57.102732 <IP_Addr_of_ext_svr>.2406 > a.b.c.d.1645: udp 54

<...truncated ...>

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_in in interface outside

access-list outside_in extended permit ip object-group EJPROXY_SVRS host a.b.c.d

object-group network EJPROXY_SVRS

network-object host <IP_Addr_of_ext_svr>

Additional Information:

Forward Flow based lookup yields rule:

in id=0x4666550, priority=12, domain=permit, deny=false

hits=7, user_data=0x45a8278, cs_id=0x0, flags=0x0, protocol=0

src ip=<IP_Addr_of_ext_svr>, mask=255.255.255.255, port=0

dst ip=a.b.c.d, mask=255.255.255.255, port=0

<...truncated ...>

Phase: 5

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3e43060, priority=12, domain=capture, deny=false

hits=1, user_data=0x4596d30, cs_id=0x461cf98, reverse, flags=0x0, protocol=0

src ip=<IP_Addr_of_ext_svr>, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0 *****dst IP becomes 0.0.0.0******

-----------------------------

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 10/22/2007 - 08:17
User Badges:
  • Green, 3000 points or more

Hi Chun, few questions for you.


1- Do you have any other static working or is it only this static that does not work?

2- make sure inside host does not have firewall turned on.

3- make sure hosts is listening to ports you have indicated in your access-list for this static nat translation.


could you post the output of the follwing:


If running code 6.x

"show sysopt "


if running 7.x,8.x

"show running-config sysopt "



chunsingkerk Tue, 10/23/2007 - 18:57
User Badges:

Hi Jorgemcse,


Thanks for your reply.

1) This is the only static that isn't work.


2 & 3) The inside host doesn't have firewall and is able to response to requests from another internal hosts.


ICES-ASA# show running-config sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

ICES-ASA#


JORGE RODRIGUEZ Tue, 10/23/2007 - 21:03
User Badges:
  • Green, 3000 points or more

I suspected something else with sysopt output,are you allowing TCP ports or IP services ? I think the problem could be in your acl allowing IP instead of TCP services .


e.g. I lab this out with defining an outside group called vendor_group and their forein Ip address, then defined TCP service group called TES_Group allowing domain, ftp , rdp TCP services to access inside host a.b.c.d the acl should be:

access-list outside__in extended permit tcp object-group OUtside_Vendor host a.b.c.d object-group TEST_GROUP

access-group outside_in in interface outside


or somewhere along these lines, define the ouside hosts in your network object group as well as define the TCP services object group to be allowed.


chunsingkerk Tue, 10/23/2007 - 21:51
User Badges:

Hi, have checked my acl and is same as your suggestion


--------------

access-list outside_in extended permit udp object-group EJPROXY_SVRS host a.b.c.d eq radius


object-group network EJPROXY_SVRS

network-object host

network-object host

---------------


Doing a "show access-list outside_in" indicates that acl is matched.


I've done a permit any-any but still can't work.

JORGE RODRIGUEZ Tue, 10/23/2007 - 22:09
User Badges:
  • Green, 3000 points or more

how is the static nat translation does it have a unique public IP for the inside host?

for sake of testing create tcp rdp acl and test from outside doing "telnet PublicIP 3389" to see if you can reach it.

JORGE RODRIGUEZ Tue, 10/23/2007 - 22:30
User Badges:
  • Green, 3000 points or more

your acl is still udps instead of tcp, it is on what the the server is listening , if you do on the server netstat you will note TCP listening ports not udp and that could be reason you're not hiting it.

chunsingkerk Wed, 10/24/2007 - 05:50
User Badges:

Hi Jorgemcse,


Thanks for your assistance, the server is listening for radius on 1645/udp rather that tcp. As suggested I've verified using netstat.


In fact, I've done a permit ip any-any which should include all udp and tcp packets, but server is not receiving the packets.


There is a unique public NAT for the internal server as well. I believe the flow breaks after the translation (outside to inside) where destination IP address becomes 0.0.0.0 hence packet goes back out the outside interface (default route is to outside interface)


thanks

Actions

This Discussion