Multiple Global to a Single Local IP

Unanswered Question
Dec 22nd, 2008
User Badges:

Hello,


I have the ASA configured and everything is working fine. But whenever I add a static policy nat, it stops my computer to communicate on port 3101 (TCP). When I take it out everything works fine. I would like to translate one local address to multiple global addresses. Below are the command and the real time log. How can I make it work? Is there any other approach? Your help is greatly appreciated.


access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any


static (inside,outside) 10.1.1.1 access-list policy_nat_1

static (inside,outside) 10.198.8.40 access-list policy_nat_2


Real Time Log


Built outbound TCP connection 178629733 for outside: 20.2.2.2/3101 (206.51.26.33/3101) to inside:10.20.0.68/3955 (10.1.1.1/3955)

Teardown TCP connection 178624695 for outside:20.2.2.2/3101 to inside:10.1.1.1/3925 duration 0:00:30 bytes 0 SYN Timeout

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/22/2008 - 20:25
User Badges:
  • Green, 3000 points or more

Could you provide more information, are you trying to use same inbound tcp port ? let us know otherwise.



inside IP host 10.1.1.1

Assume outside global addresses are 10.198.8.40 , 10.198.8.41 , 10.198.8.42

Target TCP port 3101 on 10.1.1.1




Your static Policy nat


static (inside,outside) 10.198.8.40 access-list policy_nat_1

static (inside,outside) 10.198.8.41 access-list policy_nat_2

static (inside,outside) 10.198.8.42 access-list policy_nat_3


your policy nat acl

access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any

access-list policy_nat_3 extended permit ip host 10.1.1.1 any



your outside inbound acl

access-list outside_access_in extended permit tcp any host 10.198.8.40 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.41 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.42 eq 3101 log




Regards


PLS rate helpful posts

allen.malanda_2 Tue, 12/23/2008 - 06:25
User Badges:

The static nat is set up for a site to site vpn. My problem is that whenever I add the static policy nat. It stops my server to communicate to host 204.18.8.3 on port 3101. I have an outbound rule created for this traffic. If I remove the static policy nat, the traffic to host 204.18.8.3 on port 3101 works fine. Somehow the static nat is breaking the traffic to that host. Please let me know if I was clear enough.


Thanks,


JORGE RODRIGUEZ Tue, 12/23/2008 - 06:51
User Badges:
  • Green, 3000 points or more

Thanks for the additional information , without seeing the config is hard to see what could be braking the traffic flow.. nat rules, global rules etc..

ROBERTO TACCON Wed, 12/24/2008 - 05:37
User Badges:

Hi,


- have you debug the nat on the FW ?

- check the NAT before and after when you configure the policy nat ?


Try to use:


sh xlate debug


sh xlate debug | i "IP_address"

allen.malanda_2 Wed, 12/24/2008 - 06:10
User Badges:

I never debug nat on the ASA before. This is a very strange problem because I can access port 443 and 80 ect.. But I can not access port 3101.

JORGE RODRIGUEZ Wed, 12/24/2008 - 12:00
User Badges:
  • Green, 3000 points or more

Allen, can you also PLS post any relevant real time ASDM logs when trying to access the server on that port. I'll take a look at the config carefully.


Regards


allen.malanda_2 Mon, 12/29/2008 - 06:26
User Badges:

Thank you very much, below is the real time log when I initiate the session from my laptop.


REAL TIME LOG

-----------------------


6|Dec 29 2008|09:21:54|302013|206.51.26.33|3101|10.1.1.1|2604|Built outbound TCP connection 185635064 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2604 (10.198.8.40/2604)

6|Dec 29 2008|09:20:56|302014|206.51.26.33|3101|10.1.1.1|2581|Teardown TCP connection 185632176 for outside:206.51.26.33/3101 to inside:10.1.1.1/2581 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:20:26|302013|206.51.26.33|3101|10.1.1.1|2581|Built outbound TCP connection 185632176 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2581 (10.198.8.40/2581)

6|Dec 29 2008|09:18:19|302014|206.51.26.33|3101|10.1.1.1|2545|Teardown TCP connection 185625989 for outside:206.51.26.33/3101 to inside:10.1.1.1/2545 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:36|302014|206.51.26.33|3101|10.1.1.1|2440|Teardown TCP connection 185609323 for outside:206.51.26.33/3101 to inside:10.1.1.1/2440 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:06|302013|206.51.26.33|3101|10.1.1.1|2440|Built outbound TCP connection 185609323 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2440 (10.198.8.40/2440)



alex.rosa Mon, 12/29/2008 - 14:08
User Badges:

Have you tried to run clear xlate and clear nat after change the rule?

cisco24x7 Mon, 12/29/2008 - 14:37
User Badges:
  • Silver, 250 points or more

There is a KNOWN issue with clear xlate, according to CSCee2689. You need to use

"clear localhost" instead, depending on the

code version

Actions

This Discussion