05-21-2009 07:20 AM - edited 03-11-2019 08:35 AM
Dear All,
I have configured my two asa5520 with: failover Acive/Active,
multiple context mode
All work fine except for the policy nat, I have configured it in this way:
access-list FRTEND2_TO_SHARED extended permit tcp host 192.168.233.69 any
static (front_end_d,outside) 50.70.60.19 access-list FRTEND2_TO_SHARED
I tested the policy nat:
packet-tracer input front_end_d tcp 192.168.233.69 25 50.70.60.13 25
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 50.70.60.0 255.255.255.192 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (front_end_d,outside) 50.70.60.19 access-list FRTEND2_TO_SHARED
nat-control
match tcp front_end_d host 192.168.233.69 outside any
static translation to 50.70.60.19/0
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (front_end_d) 0 0.0.0.0 0.0.0.0
nat-control
match ip front_end_d any outside any
no translation group, implicit deny
policy_hits = 4
Additional Information:
Result:
input-interface: front_end_d
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Why the phase 7 fails?If I use a static nat without policy nat it works fine.
Thanks and Regards,
Igor.
Solved! Go to Solution.
05-21-2009 02:49 PM
Can you try:
access-list FRTEND2_TO_SHARED extended permit ip host 192.168.233.69 any
If it was usefull to you, please rate. Thanks!
05-21-2009 02:49 PM
Can you try:
access-list FRTEND2_TO_SHARED extended permit ip host 192.168.233.69 any
If it was usefull to you, please rate. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide