04-16-2014 03:09 AM - edited 03-11-2019 09:05 PM
I'm trying tu publish my Polycom codec outside, and i did for this purpose static NAT according asa docs.
interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.40.98 255.255.255.240
object network HDX6000-INT
host 192.168.42.33
object network HDX6000-EXT
host X.X.140.100
access-list outside-in extended permit ip any object HDX6000-INT
nat (Inside,Outside) source static HDX6000-INT HDX6000-EXT
and it don't works anyway.
Packet trace is ok.
# packet-tracer input Outside tcp 8.8.8.8 1720 X.X.140.100 1720 $
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static HDX6000-INT HDX6000-EXT
Additional Information:
NAT divert to egress interface Inside
Untranslate X.X.140.100/1720 to 192.168.42.33/1720
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface Outside
access-list outside-in extended permit ip any object HDX6000-INT
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaebaa948, priority=13, domain=permit, deny=false
hits=2, user_data=0xaa86a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.42.33, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad774470, priority=0, domain=inspect-ip-options, deny=true
hits=9183193, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: inspect-h323
Result: ALLOW
Config:
class-map botnet-class
match default-inspection-traffic
policy-map botnet-policy
class botnet-class
inspect h323 h225 _default_h323_map
service-policy botnet-policy interface Outside
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae2d4e08, priority=72, domain=inspect-h323, deny=false
hits=7, user_data=0xae2d3e30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=1720, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae2ce448, priority=18, domain=flow-export, deny=false
hits=1321269, user_data=0xae2a1ef0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae1c10f8, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=49347, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae1f7aa0, priority=13, domain=dynamic-filter, deny=true
hits=66109, user_data=0xae1f7378, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae1f9460, priority=12, domain=UNKNOWN:49, deny=false
hits=85104, user_data=0xae1f9420, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static HDX6000-INT HDX6000-EXT
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaec80db8, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xae9df740, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.42.33, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=Outside, output_ifc=Inside
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad799030, priority=0, domain=inspect-ip-options, deny=true
hits=9773422, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10477792, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt <H225 connection inspection>
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_punt <H225 connection inspection>
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
#show xlate
1724 in use, 3679 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from Inside:0.0.0.0/0 to Outside:0.0.0.0/0
flags sI idle 0:01:19 timeout 0:00:00
NAT from Inside:192.168.42.33 to Outside:X.X.140.100
flags s idle 0:02:18 timeout 0:00:00
Did i miss something?
04-16-2014 03:43 AM
Hi, can you post the output of show route command?
Your Outside IP address is X.X.40.98 255.255.255.240 and you are NATing the internal HDX to X.X.140.100. Is your ISP routing all traffic destined to .140.100 to .40.98? I mean is the .140.100 is visible to the Internet? The reason I'm asking this is because normally you will do a static NAT to an extra pub IP that is on the same subnet as your Outside IP address unless your ISP routes it.
Regarding why the packet tracer works is because the ASA is assuming the packet from 8.8.8.8 can reach the Outside interface of ASA.
04-16-2014 04:29 AM
Gateway of last resort is X.X.140.97 to network 0.0.0.0
O 192.168.46.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O 192.168.62.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O 192.168.47.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
S 192.168.44.6 255.255.255.255 [1/0] via X.X.140.97, Outside
S 192.168.44.9 255.255.255.255 [1/0] via X.X.140.97, Outside
O 192.168.45.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O 192.168.42.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O 192.168.58.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:27, Inside
O 192.168.40.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O 192.168.57.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:27, Inside
O 172.16.252.0 255.255.255.252 [110/11] via 192.168.5.1, 29:08:27, Inside
O 172.16.251.0 255.255.255.252 [110/511] via 192.168.5.1, 29:08:27, Inside
O 172.16.32.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:27, Inside
O 172.16.31.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O 192.168.56.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
O 192.168.41.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:28, Inside
O 192.168.55.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
C 192.168.5.0 255.255.255.248 is directly connected, Inside
O 10.189.151.0 255.255.255.252 [110/12] via 192.168.5.1, 29:08:28, Inside
O 192.168.6.0 255.255.255.248 [110/261] via 192.168.5.1, 29:08:28, Inside
O 192.168.233.233 255.255.255.255
[110/12] via 192.168.5.1, 29:08:28, Inside
C X.X.140.96 255.255.255.240 is directly connected, Outside
O 192.168.52.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
O 192.168.51.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
O 192.168.50.0 255.255.255.0 [110/61] via 192.168.5.1, 29:08:28, Inside
O 192.168.48.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:28, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via X.X.140.97, Outside
O 192.168.32.0 255.255.252.0 [110/11] via 192.168.5.1, 29:08:28, Inside
# ping outside 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide