03-06-2012 08:48 AM - edited 03-11-2019 03:38 PM
Hi
I have server with real address 10.173.1.242, i created static nat to address 10.164.32.15, but I can not to connect to address 10.164.32.15 from IP 10.161.111.130, here is config of ASA:
Peter
ASA Version 8.0(5)
!
names
!
interface GigabitEthernet0/0
nameif intranet
security-level 30
ip address 10.164.241.1 255.255.255.0 standby 10.164.241.2
!
interface GigabitEthernet0/1
nameif cdi
security-level 80
ip address 10.173.241.1 255.255.255.0 standby 10.173.241.2
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.491
vlan 491
nameif service491
security-level 50
ip address 10.173.1.241 255.255.255.0 standby 10.173.1.240
!
interface GigabitEthernet0/2.492
vlan 492
nameif service492
security-level 50
ip address 10.173.2.241 255.255.255.0 standby 10.173.2.240
!
interface GigabitEthernet0/2.493
vlan 493
nameif service493
security-level 50
ip address 10.173.3.241 255.255.255.0 standby 10.173.3.240
!
interface GigabitEthernet0/2.500
vlan 500
nameif service500
security-level 50
ip address 10.173.0.241 255.255.255.0 standby 10.173.0.240
!
interface GigabitEthernet0/2.550
vlan 550
nameif service550
security-level 50
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
!
boot system disk0:/asa805-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name t-dc.sk
access-list cdi-in extended permit icmp any any log debugging
access-list cdi-in extended deny ip any any
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended permit ip 10.164.32.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended deny ip any any
access-list service491-in extended permit icmp any any log debugging
access-list service491-in extended deny ip any any
access-list service492-in extended deny ip any any
access-list service493-in extended deny ip any any
access-list service500-in extended deny ip any any
access-list service550-in extended deny ip any any
access-list cap extended permit ip any any
pager lines 24
logging buffered debugging
logging trap debugging
logging asdm debugging
logging host service491 10.173.1.242
mtu intranet 1500
mtu cdi 1500
mtu service491 1500
mtu service492 1500
mtu service493 1500
mtu service500 1500
mtu service550 1500
mtu mngmt 1500
ip local pool pool1 10.31.250.129-10.31.250.255 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 172.16.10.1 255.255.255.252 standby 172.16.10.2
no monitor-interface intranet
no monitor-interface cdi
no monitor-interface mngmt
icmp unreachable rate-limit 1 burst-size 1
icmp permit any intranet
icmp permit any cdi
icmp permit any service491
icmp permit any service492
icmp permit any service493
icmp permit any service500
icmp permit any service550
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
access-group intranet-in in interface intranet
access-group cdi-in in interface cdi
access-group service491-in in interface service491
access-group service492-in in interface service492
access-group service493-in in interface service493
access-group service500-in in interface service500
access-group service550-in in interface service550
route intranet 0.0.0.0 0.0.0.0 10.164.241.5 1
route cdi 10.97.0.0 255.255.0.0 10.173.241.5 1
route cdi 10.168.0.0 255.255.0.0 10.173.241.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.t-dc.sk
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate c116474f
308201e7 30820150 a0030201 020204c1 16474f30 0d06092a 864886f7 0d010104
bce 90a3424e
f9f040e2 95c69b91 779b8a
quit
no crypto isakmp nat-traversal
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust intranet
webvpn
enable intranet
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc enable
group-policy GrpPolicy-ssl1 internal
group-policy GrpPolicy-ssl1 attributes
vpn-tunnel-protocol svc
tunnel-group ssl1 type remote-access
tunnel-group ssl1 general-attributes
address-pool pool1
default-group-policy GrpPolicy-ssl1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:be82cd121bde8e5de3981453caa201f0
: end
03-06-2012 09:15 AM
Peter,
Are you seeing any deny's in the log files? This kind of smells like someting is being denyed from the access lists. Also, where does the 10.161.111.X network reside?
Thanks,
Kimberly
03-06-2012 09:18 AM
Hi,
I see no denys in logg.
10.161.111. is on intranet interface
Peter
03-06-2012 09:31 AM
Peter,
Have you tried running a packet capture while trying to connect?
Thanks,
Kimberly
03-06-2012 09:39 AM
yes, I tried capture on intranet interfacem but I did not see any packet.
But I have no problem to connect intranet interface of ASA via ASDM
Peter
03-06-2012 12:09 PM
Hello,
Joseph advise should do it... If by any chance that does not make it please add the following and provide us the output:
packet-tracer input intranet tcp 10.161.11.1130 1025 10.164.32.15 80
Regards,
Julio
03-06-2012 11:06 AM
Peter,
From your configuration:
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended permit ip 10.164.32.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended deny ip any any
You're permitting access to 10.0.0.0 but you're using the 'host' keyword. This is causing a 255.255.255.255 mask which isn't going to allow what you want.
Try adding this:
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.164.32.15
03-06-2012 12:26 PM
I corrected mistake which was found by Joseph, but it still not working
SO i did packet-tracer...
pna-tdc1# packet-tracer input intranet tcp 10.161.11.130 1025 10.164.32.15 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group intranet-in in interface intranet
access-list intranet-in extended deny ip any any
Additional Information:
Result:
input-interface: intranet
input-status: up
input-line-status: up
output-interface: service491
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
pna-tdc1#
03-06-2012 12:40 PM
Hi
Please remove this line and check
access-list intranet-in extended deny ip any any
Coz, in phase 4 it is showing
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
One more quest where is the IP
10.164.32.15 belongs?
03-06-2012 12:48 PM
I have no account on server so I can not to ping from server.
I removed
access-list intranet-in extended deny ip any any
but it is stiil the same.
What you think about phase3
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255
03-06-2012 01:11 PM
i corrected "packet-tracer..." there was mistake, 10.161.11.130 instead 10.161.111.130
pna-tdc1# packet-tracer input intranet tcp 10.161.111.130 1025 10.164.32.15 22
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group intranet-in in interface intranet
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 10.0.0.0 255.0.0.0 log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2956, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.173.1.242 using egress ifc service491
adjacency Active
next-hop mac address 0014.4fed.bb6c hits 41
Result:
input-interface: intranet
input-status: up
input-line-status: up
output-interface: service491
output-status: up
output-line-status: up
Action: allow
pna-tdc1#
pna-tdc1#
03-06-2012 01:21 PM
router which is in front of ASA has this in arp cache:
router#sh arp | i 10.164.32.15
Internet 10.164.32.15 0 Incomplete ARPA
router#
03-06-2012 01:26 PM
it looks that router can not to reslove 10.164.32.15 to MAC address via arp request. What do you think?
03-06-2012 01:37 PM
Hello,
That is correct, that seems to be the problem.
Now on the packet-tracer we can see that everything is properly configured on the ASA site ( the NAT, ACLs,inspections, etc) is properly configured.
Do you have a route from the router to that ip via the ASA?
Regards,
03-06-2012 01:40 PM
router#sh ip route | i 10.164.32.0
C 10.164.32.0/24 is directly connected, GigabitEthernet0/0.2
router#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: