05-21-2010 02:54 PM - edited 03-11-2019 10:49 AM
Hi,
We currently have ASA's running 8.2(11) and I'm finding when we try and nat (outside to inside) the ASA does a route lookup and even though it's supposed to NAT, it then trys to route the connection back out the outside interface...
Firewall-01/act(config)# packet-tracer input outside tcp 10.1.2.3 1024 10.2.2.2 80 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_outside in interface outside
access-list CSM_FW_ACL_outside extended permit tcp any object-group External_VIP1 eq www log
object-group network External_VIP1
network-object 10.2.2.2 255.255.255.255
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd83fc0e8, priority=12, domain=permit, deny=false
hits=75, user_data=0xd688a200, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.2.2.2, mask=255.255.255.255, port=80, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7d308d0, priority=0, domain=permit-ip-option, deny=true
hits=398902, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7debb38, priority=21, domain=lu, deny=true
hits=119, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (outside,core) 10.3.3.3 10.2.2.2 netmask 255.255.255.255
nat-control
match ip outside host 10.2.2.2 core any
static translation to 10.3.3.3
translate_hits = 0, untranslate_hits = 0
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8428b08, priority=5, domain=host, deny=false
hits=15, user_data=0xd8816110, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.2.2.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7d308d0, priority=0, domain=permit-ip-option, deny=true
hits=398903, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 469548, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Routing is in place for the NAT'd destination.
Any ideas would be greatly apprecaited.
Cheers,
Andy
05-21-2010 02:59 PM
Andy,
The ASA does perform routing before NATing.
Where does a show route to 10.2.2.2 shows? To the outside?
Please explain where are 10.1.2.3, 10.2.2.2 and 10.3.3.3 according to your setup and the ASA's point of view.
Federico.
05-21-2010 04:03 PM
Federico,
Many thanks. 10.2.2.2 does route to the outside, and 10.3.3.3 to the inside.
10.1.2.3 is outside, 10.2.2.2 is outside and 10.3.3.3 inside.
I did try and put a static route for 10.2.2.2 inside, but then the ASA doesn't even try and NAT. If a static NAT is configured, I would have thought the ASA will automatically take care of the routing following the NAT.
Cheers,
Andy
05-21-2010 07:06 PM
Andy,
So you have a NAT rule like this:
static (out,in) 10.3.3.3 10.2.2.2
The above rule indicate that outside host 10.2.2.2 is seen inside as 10.3.3.3
i.e
From the inside you can access this host with IP 10.3.3.3 and from the outside with IP 10.2.2.2
In other words,
If you send packets to 10.3.3.3, the ASA should send them to the inside, but if you send it to 10.2.2.2, the ASA will
send it to the outside (not only because the NAT rule, but because the routing table).
Please let me know what is that you're trying to do exactly.
Federico.
05-22-2010 07:40 AM
Federico,
Many thanks - I so hope I've not put the static statement the wrong way around. I'll check as soon as I can get back on the box and will get back to you.
What am I trying to achieve: I want to host a virtual range (10.2.2.0/24) on the ASA and use one-to-one NAT to translate 10.2.2.x to 10.3.3.x, where the 10.3.3.0/24 network is situated inside the network.
Again, many thanks for the pointer and I hope it's as simple as that.
All the best,
Andy
05-23-2010 11:23 PM
Federico,
We have the following static nat statement:
static (outside,inside) 10.3.3.3 10.2.2.2 netmask 255.255.255.255
So it looks like there is another issue...
Many thanks,
Andy
05-24-2010 01:45 AM
It was the static statement :-(
It should have been static (inside,outside) 10.2.2.2 10.3.3.3 netmask 255.255.255.255
Many thanks for the pointers.
All the best,
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide