ASA v8.4 STATIC NAT ISSUE.

era_cisco · ‎04-16-2014

I'm trying tu publish my Polycom codec outside, and i did for this purpose static NAT according asa docs.

interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.40.98 255.255.255.240

object network HDX6000-INT
host 192.168.42.33
object network HDX6000-EXT
host X.X.140.100

access-list outside-in extended permit ip any object HDX6000-INT

nat (Inside,Outside) source static HDX6000-INT HDX6000-EXT

and it don't works anyway.

Packet trace is ok.

# packet-tracer input Outside tcp 8.8.8.8 1720 X.X.140.100 1720 $

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static HDX6000-INT HDX6000-EXT
Additional Information:
NAT divert to egress interface Inside
Untranslate X.X.140.100/1720 to 192.168.42.33/1720

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface Outside
access-list outside-in extended permit ip any object HDX6000-INT
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaebaa948, priority=13, domain=permit, deny=false
        hits=2, user_data=0xaa86a3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.42.33, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad774470, priority=0, domain=inspect-ip-options, deny=true
        hits=9183193, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: inspect-h323
Result: ALLOW
Config:
class-map botnet-class
match default-inspection-traffic
policy-map botnet-policy
class botnet-class
inspect h323 h225 _default_h323_map
service-policy botnet-policy interface Outside
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae2d4e08, priority=72, domain=inspect-h323, deny=false
        hits=7, user_data=0xae2d3e30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=1720, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae2ce448, priority=18, domain=flow-export, deny=false
        hits=1321269, user_data=0xae2a1ef0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae1c10f8, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=49347, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae1f7aa0, priority=13, domain=dynamic-filter, deny=true
        hits=66109, user_data=0xae1f7378, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae1f9460, priority=12, domain=UNKNOWN:49, deny=false
        hits=85104, user_data=0xae1f9420, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static HDX6000-INT HDX6000-EXT
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaec80db8, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xae9df740, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.42.33, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=Inside

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad799030, priority=0, domain=inspect-ip-options, deny=true
        hits=9773422, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10477792, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt <H225 connection inspection>
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_punt <H225 connection inspection>
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

#show xlate
1724 in use, 3679 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from Inside:0.0.0.0/0 to Outside:0.0.0.0/0
flags sI idle 0:01:19 timeout 0:00:00
NAT from Inside:192.168.42.33 to Outside:X.X.140.100
flags s idle 0:02:18 timeout 0:00:00

Did i miss something?

Rudy Sanjoko · ‎04-16-2014

Hi, can you post the output of show route command?

Your Outside IP address is X.X.40.98 255.255.255.240 and you are NATing the internal HDX to X.X.140.100. Is your ISP routing all traffic destined to .140.100 to .40.98? I mean is the .140.100 is visible to the Internet? The reason I'm asking this is because normally you will do a static NAT to an extra pub IP that is on the same subnet as your Outside IP address unless your ISP routes it.

Regarding why the packet tracer works is because the ASA is assuming the packet from 8.8.8.8 can reach the Outside interface of ASA.

era_cisco · ‎04-16-2014

Gateway of last resort is X.X.140.97 to network 0.0.0.0

O    192.168.46.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O    192.168.62.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O    192.168.47.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
S    192.168.44.6 255.255.255.255 [1/0] via X.X.140.97, Outside
S    192.168.44.9 255.255.255.255 [1/0] via X.X.140.97, Outside
O    192.168.45.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O    192.168.42.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O    192.168.58.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:27, Inside
O    192.168.40.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O    192.168.57.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:27, Inside
O    172.16.252.0 255.255.255.252 [110/11] via 192.168.5.1, 29:08:27, Inside
O    172.16.251.0 255.255.255.252 [110/511] via 192.168.5.1, 29:08:27, Inside
O    172.16.32.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:27, Inside
O    172.16.31.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:27, Inside
O    192.168.56.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
O    192.168.41.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:28, Inside
O    192.168.55.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
C    192.168.5.0 255.255.255.248 is directly connected, Inside
O    10.189.151.0 255.255.255.252 [110/12] via 192.168.5.1, 29:08:28, Inside
O    192.168.6.0 255.255.255.248 [110/261] via 192.168.5.1, 29:08:28, Inside
O    192.168.233.233 255.255.255.255
           [110/12] via 192.168.5.1, 29:08:28, Inside
C    X.X.140.96 255.255.255.240 is directly connected, Outside
O    192.168.52.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
O    192.168.51.0 255.255.255.0 [110/12] via 192.168.5.1, 29:08:28, Inside
O    192.168.50.0 255.255.255.0 [110/61] via 192.168.5.1, 29:08:28, Inside
O    192.168.48.0 255.255.255.0 [110/11] via 192.168.5.1, 29:08:28, Inside
S*   0.0.0.0 0.0.0.0 [1/0] via X.X.140.97, Outside
O    192.168.32.0 255.255.252.0 [110/11] via 192.168.5.1, 29:08:28, Inside

# ping outside 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms