ASA NAT/route lookup problems

Unanswered Question
May 21st, 2010

Hi,

We currently have ASA's running 8.2(11) and I'm finding when we try and nat (outside to inside) the ASA does a route lookup and even though it's supposed to NAT, it then trys to route the connection back out the outside interface...

Source:     10.1.2.3
Dest         10.2.2.2
Although it's  configure to NAT 10.2.2.2 to 10.3.3.3, it first does a route lookup  and drops the packet as it sees the destination as the outisde  interface:

Firewall-01/act(config)# packet-tracer input outside tcp 10.1.2.3 1024 10.2.2.2 80 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_outside in interface outside

access-list CSM_FW_ACL_outside extended permit tcp any object-group External_VIP1 eq www log

object-group network External_VIP1

network-object 10.2.2.2 255.255.255.255

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd83fc0e8, priority=12, domain=permit, deny=false

        hits=75, user_data=0xd688a200, cs_id=0x0, flags=0x0, protocol=6

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=10.2.2.2, mask=255.255.255.255, port=80, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7d308d0, priority=0, domain=permit-ip-option, deny=true

        hits=398902, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7debb38, priority=21, domain=lu, deny=true

        hits=119, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (outside,core) 10.3.3.3 10.2.2.2 netmask 255.255.255.255

nat-control

  match ip outside host 10.2.2.2 core any

    static translation to 10.3.3.3

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd8428b08, priority=5, domain=host, deny=false

        hits=15, user_data=0xd8816110, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.2.2.2, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd7d308d0, priority=0, domain=permit-ip-option, deny=true

        hits=398903, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 469548, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Routing is in place for the NAT'd destination.

Any ideas would be greatly apprecaited.

Cheers,

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 05/21/2010 - 14:59

Andy,

The ASA does perform routing before NATing.

Where does a show route to 10.2.2.2 shows? To the outside?

Please explain where are 10.1.2.3, 10.2.2.2 and 10.3.3.3 according to your setup and the ASA's point of view.

Federico.

Andy Taylor Fri, 05/21/2010 - 16:03

Federico,


Many thanks. 10.2.2.2 does route to the outside, and 10.3.3.3 to the inside.

10.1.2.3 is outside, 10.2.2.2 is outside and 10.3.3.3 inside.

I did try and put a static route for 10.2.2.2 inside, but then the ASA doesn't even try and NAT. If a static NAT is configured, I would have thought the ASA will automatically take care of the routing following the NAT.

Cheers,


Andy

Federico Coto F... Fri, 05/21/2010 - 19:06

Andy,

So you have a NAT rule like this:

static (out,in) 10.3.3.3 10.2.2.2

The above rule indicate that outside host 10.2.2.2 is seen inside as 10.3.3.3
i.e
From the inside you can access this host with IP 10.3.3.3 and from the outside with IP 10.2.2.2

In other words,
If you send packets to 10.3.3.3, the ASA should send them to the inside, but if you send it to 10.2.2.2, the ASA will
send it to the outside (not only because the NAT rule, but because the routing table).

Please let me know what is that you're trying to do exactly.

Federico.

Andy Taylor Sat, 05/22/2010 - 07:40

Federico,

Many thanks - I so hope I've not put the static statement the wrong way around. I'll check as soon as I can get back on the box and will get back to you.

What am I trying to achieve: I want to host a virtual range (10.2.2.0/24) on the ASA and use one-to-one NAT to translate 10.2.2.x to 10.3.3.x, where the 10.3.3.0/24 network is situated inside the network.

Again, many thanks for the pointer and I hope it's as simple as that.

All the best,

Andy

Andy Taylor Sun, 05/23/2010 - 23:23

Federico,

We have the following static nat statement:

static (outside,inside) 10.3.3.3 10.2.2.2 netmask 255.255.255.255

So it looks like there is another issue...

Many thanks,

Andy

Andy Taylor Mon, 05/24/2010 - 01:45

It was the static statement :-(

It should have been static (inside,outside) 10.2.2.2 10.3.3.3 netmask 255.255.255.255

Many thanks for the pointers.

All the best,

Andy

Actions

This Discussion