Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
0
Helpful
3
Replies

ASA static nat

shiran.wang
Level 1
Level 1

‎05-20-2017 03:46 AM - edited ‎03-12-2019 02:23 AM

ASA version 9.6(3)1 

both nat have same configuration except 172.16.100.2 use interface, anyone have same question?

this object work fine

object network 172.16.100.3_25_xx2
 nat (DMZ,xyz) static 202.175.xx.203 service tcp smtp smtp

this object not work
 object network 172.16.100.2_25_xx1
 nat (DMZ,xyz) static interface service tcp smtp smtp

 Cisco Adaptive Security Appliance Software Version 9.6(3)1
Device Manager Version 7.2(2)1

Compiled on Thu 30-Mar-17 21:40 PDT by builders
System image file is "disk0:/asa963-1-smp-k8.bin"
Config file at boot was "startup-config"

packet-tracer input xyz tcp 8.8.8.8  1024 202.175.xx.202 25

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 202.175.xx.202 using egress ifc  identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: xyz
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

# packet-tracer input xyz tcp 8.8.8.8  1024 202.175.xx.203 25

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.16.100.3_25_xyz
 nat (DMZ,xyz) static 202.175.xx.203 service tcp smtp smtp
Additional Information:
NAT divert to egress interface DMZ
Untranslate 202.175.xx.203/25 to 172.16.100.3/25

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group xyz in interface xyz
access-list xyz extended permit tcp any host 172.16.100.3 eq smtp
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:       
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:

Phase: 6
Type: FOVER   
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,xyz) source dynamic any interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 538894, packet dispatched to next module

Result:
input-interface: xyz
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎05-20-2017 03:53 AM

Can you post a "sh nat"

Jon

0 Helpful

shiran.wang
Level 1
Level 1
In response to Jon Marshall

‎05-20-2017 06:34 AM

 service tcp destination eq smtp
nat (ServerFarm,xyz2) source static object_10.10.120.0 object_10.10.120.0 destination static object_10.10.10.10.0 object_10.10.10.10.0
nat (ServerFarm,xyz1) source static object_10.10.120.0 object_10.10.120.0 destination static object_10.10.10.10.0 object_10.10.10.10.0
nat (Inside,xyz2) source dynamic any interface
nat (DMZ,xyz1) source dynamic any interface
nat (DMZ,xyz2) source dynamic any interface
nat (Inside,Informac) source dynamic any interface
nat (ServerFarm,Informac) source dynamic any interface
nat (WIFI_AP,xyz2) source dynamic any interface
nat (WIFI_AP,xyz1) source dynamic any interface
nat (ServerFarm,xyz1) source dynamic any interface
nat (ServerFarm,xyz2) source dynamic any interface
nat (WIFI_Staff,xyz2) source dynamic any interface
nat (WIFI_Staff,xyz1) source dynamic any interface
nat (WIFI_Guest,xyz2) source dynamic any interface
nat (WIFI_Guest,xyz1) source dynamic any interface
nat (WIFI_Media,xyz2) source dynamic any interface
nat (WIFI_Media,xyz1) source dynamic any interface
nat (CCenter,xyz2) source dynamic any interface
nat (CCenter,xyz1) source dynamic any interface
nat (Inside,xyz1) source dynamic any interface
 nat (DMZ,xyz1) static 202.175.xx.203 service tcp smtp smtp
 nat (ServerFarm,xyz1) static 202.175.xx.203 service tcp https https
 nat (ServerFarm,xyz1) static 202.175.xx.203 service tcp www www
 nat (ServerFarm,xyz1) static 202.175.xx.204
 nat (ServerFarm,xyz1) static 202.175.xx.205 service tcp https https
 nat (ServerFarm,xyz1) static 202.175.xx.205 service tcp www www
 nat (DMZ,xyz2) static 182.93.x1.27 service tcp smtp smtp
 nat (DMZ,xyz2) static 182.93.x1.28 service tcp smtp smtp
 nat (ServerFarm,xyz2) static 182.93.x1.27 service tcp https https
 nat (ServerFarm,xyz2) static 182.93.x1.27 service tcp www www
 nat (ServerFarm,xyz2) static 182.93.x1.29
 nat (DMZ,xyz1) static 202.175.xx.202 service tcp smtp smtp

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to shiran.wang

‎05-20-2017 06:55 AM

I'm not sure that is the output of "sh nat" ie. it should show the hits etc.

I think the problem is with the order of your NAT rules but I need to see the proper output first.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card