cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
13
Replies

Multiple Global to a Single Local IP

allen.malanda_2
Level 1
Level 1

Hello,

I have the ASA configured and everything is working fine. But whenever I add a static policy nat, it stops my computer to communicate on port 3101 (TCP). When I take it out everything works fine. I would like to translate one local address to multiple global addresses. Below are the command and the real time log. How can I make it work? Is there any other approach? Your help is greatly appreciated.

access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any

static (inside,outside) 10.1.1.1 access-list policy_nat_1

static (inside,outside) 10.198.8.40 access-list policy_nat_2

Real Time Log

Built outbound TCP connection 178629733 for outside: 20.2.2.2/3101 (206.51.26.33/3101) to inside:10.20.0.68/3955 (10.1.1.1/3955)

Teardown TCP connection 178624695 for outside:20.2.2.2/3101 to inside:10.1.1.1/3925 duration 0:00:30 bytes 0 SYN Timeout

13 Replies 13

JORGE RODRIGUEZ
Level 10
Level 10

Could you provide more information, are you trying to use same inbound tcp port ? let us know otherwise.

inside IP host 10.1.1.1

Assume outside global addresses are 10.198.8.40 , 10.198.8.41 , 10.198.8.42

Target TCP port 3101 on 10.1.1.1

Your static Policy nat

static (inside,outside) 10.198.8.40 access-list policy_nat_1

static (inside,outside) 10.198.8.41 access-list policy_nat_2

static (inside,outside) 10.198.8.42 access-list policy_nat_3

your policy nat acl

access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any

access-list policy_nat_3 extended permit ip host 10.1.1.1 any

your outside inbound acl

access-list outside_access_in extended permit tcp any host 10.198.8.40 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.41 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.42 eq 3101 log

Regards

PLS rate helpful posts

Jorge Rodriguez

The static nat is set up for a site to site vpn. My problem is that whenever I add the static policy nat. It stops my server to communicate to host 204.18.8.3 on port 3101. I have an outbound rule created for this traffic. If I remove the static policy nat, the traffic to host 204.18.8.3 on port 3101 works fine. Somehow the static nat is breaking the traffic to that host. Please let me know if I was clear enough.

Thanks,

Thanks for the additional information , without seeing the config is hard to see what could be braking the traffic flow.. nat rules, global rules etc..

Jorge Rodriguez

I've attached my config file.

Thanks,

deleted

HTH, John *** Please rate all useful posts ***

Hi,

- have you debug the nat on the FW ?

- check the NAT before and after when you configure the policy nat ?

Try to use:

sh xlate debug

sh xlate debug | i "IP_address"

I never debug nat on the ASA before. This is a very strange problem because I can access port 443 and 80 ect.. But I can not access port 3101.

Ok.

Give a try to following command:

1) sh xlate debug (to see if the nat works for the particular port)

2) configure a capture (to sniff the traffic iside and outside)

3) contact the TAC tac@cisco.com

Allen, can you also PLS post any relevant real time ASDM logs when trying to access the server on that port. I'll take a look at the config carefully.

Regards

Jorge Rodriguez

Thank you very much, below is the real time log when I initiate the session from my laptop.

REAL TIME LOG

-----------------------

6|Dec 29 2008|09:21:54|302013|206.51.26.33|3101|10.1.1.1|2604|Built outbound TCP connection 185635064 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2604 (10.198.8.40/2604)

6|Dec 29 2008|09:20:56|302014|206.51.26.33|3101|10.1.1.1|2581|Teardown TCP connection 185632176 for outside:206.51.26.33/3101 to inside:10.1.1.1/2581 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:20:26|302013|206.51.26.33|3101|10.1.1.1|2581|Built outbound TCP connection 185632176 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2581 (10.198.8.40/2581)

6|Dec 29 2008|09:18:19|302014|206.51.26.33|3101|10.1.1.1|2545|Teardown TCP connection 185625989 for outside:206.51.26.33/3101 to inside:10.1.1.1/2545 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:36|302014|206.51.26.33|3101|10.1.1.1|2440|Teardown TCP connection 185609323 for outside:206.51.26.33/3101 to inside:10.1.1.1/2440 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:06|302013|206.51.26.33|3101|10.1.1.1|2440|Built outbound TCP connection 185609323 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2440 (10.198.8.40/2440)

alex.rosa
Level 1
Level 1

Have you tried to run clear xlate and clear nat after change the rule?

There is a KNOWN issue with clear xlate, according to CSCee2689. You need to use

"clear localhost" instead, depending on the

code version

I cleared local-host entries but it's not working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: