Multiple Global to a Single Local IP

Unanswered Question
Dec 22nd, 2008

Hello,

I have the ASA configured and everything is working fine. But whenever I add a static policy nat, it stops my computer to communicate on port 3101 (TCP). When I take it out everything works fine. I would like to translate one local address to multiple global addresses. Below are the command and the real time log. How can I make it work? Is there any other approach? Your help is greatly appreciated.

access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any

static (inside,outside) 10.1.1.1 access-list policy_nat_1

static (inside,outside) 10.198.8.40 access-list policy_nat_2

Real Time Log

Built outbound TCP connection 178629733 for outside: 20.2.2.2/3101 (206.51.26.33/3101) to inside:10.20.0.68/3955 (10.1.1.1/3955)

Teardown TCP connection 178624695 for outside:20.2.2.2/3101 to inside:10.1.1.1/3925 duration 0:00:30 bytes 0 SYN Timeout

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/22/2008 - 20:25

Could you provide more information, are you trying to use same inbound tcp port ? let us know otherwise.

inside IP host 10.1.1.1

Assume outside global addresses are 10.198.8.40 , 10.198.8.41 , 10.198.8.42

Target TCP port 3101 on 10.1.1.1

Your static Policy nat

static (inside,outside) 10.198.8.40 access-list policy_nat_1

static (inside,outside) 10.198.8.41 access-list policy_nat_2

static (inside,outside) 10.198.8.42 access-list policy_nat_3

your policy nat acl

access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any

access-list policy_nat_3 extended permit ip host 10.1.1.1 any

your outside inbound acl

access-list outside_access_in extended permit tcp any host 10.198.8.40 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.41 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.42 eq 3101 log

Regards

PLS rate helpful posts

allen.malanda_2 Tue, 12/23/2008 - 06:25

The static nat is set up for a site to site vpn. My problem is that whenever I add the static policy nat. It stops my server to communicate to host 204.18.8.3 on port 3101. I have an outbound rule created for this traffic. If I remove the static policy nat, the traffic to host 204.18.8.3 on port 3101 works fine. Somehow the static nat is breaking the traffic to that host. Please let me know if I was clear enough.

Thanks,

JORGE RODRIGUEZ Tue, 12/23/2008 - 06:51

Thanks for the additional information , without seeing the config is hard to see what could be braking the traffic flow.. nat rules, global rules etc..

ROBERTO TACCON Wed, 12/24/2008 - 05:37

Hi,

- have you debug the nat on the FW ?

- check the NAT before and after when you configure the policy nat ?

Try to use:

sh xlate debug

sh xlate debug | i "IP_address"

allen.malanda_2 Wed, 12/24/2008 - 06:10

I never debug nat on the ASA before. This is a very strange problem because I can access port 443 and 80 ect.. But I can not access port 3101.

JORGE RODRIGUEZ Wed, 12/24/2008 - 12:00

Allen, can you also PLS post any relevant real time ASDM logs when trying to access the server on that port. I'll take a look at the config carefully.

Regards

allen.malanda_2 Mon, 12/29/2008 - 06:26

Thank you very much, below is the real time log when I initiate the session from my laptop.

REAL TIME LOG

-----------------------

6|Dec 29 2008|09:21:54|302013|206.51.26.33|3101|10.1.1.1|2604|Built outbound TCP connection 185635064 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2604 (10.198.8.40/2604)

6|Dec 29 2008|09:20:56|302014|206.51.26.33|3101|10.1.1.1|2581|Teardown TCP connection 185632176 for outside:206.51.26.33/3101 to inside:10.1.1.1/2581 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:20:26|302013|206.51.26.33|3101|10.1.1.1|2581|Built outbound TCP connection 185632176 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2581 (10.198.8.40/2581)

6|Dec 29 2008|09:18:19|302014|206.51.26.33|3101|10.1.1.1|2545|Teardown TCP connection 185625989 for outside:206.51.26.33/3101 to inside:10.1.1.1/2545 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:36|302014|206.51.26.33|3101|10.1.1.1|2440|Teardown TCP connection 185609323 for outside:206.51.26.33/3101 to inside:10.1.1.1/2440 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:06|302013|206.51.26.33|3101|10.1.1.1|2440|Built outbound TCP connection 185609323 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2440 (10.198.8.40/2440)

alex.rosa Mon, 12/29/2008 - 14:08

Have you tried to run clear xlate and clear nat after change the rule?

cisco24x7 Mon, 12/29/2008 - 14:37

There is a KNOWN issue with clear xlate, according to CSCee2689. You need to use

"clear localhost" instead, depending on the

code version

Actions

This Discussion