Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple Global to a Single Local IP

Hello,

I have the ASA configured and everything is working fine. But whenever I add a static policy nat, it stops my computer to communicate on port 3101 (TCP). When I take it out everything works fine. I would like to translate one local address to multiple global addresses. Below are the command and the real time log. How can I make it work? Is there any other approach? Your help is greatly appreciated.

access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any

static (inside,outside) 10.1.1.1 access-list policy_nat_1

static (inside,outside) 10.198.8.40 access-list policy_nat_2

Real Time Log

Built outbound TCP connection 178629733 for outside: 20.2.2.2/3101 (206.51.26.33/3101) to inside:10.20.0.68/3955 (10.1.1.1/3955)

Teardown TCP connection 178624695 for outside:20.2.2.2/3101 to inside:10.1.1.1/3925 duration 0:00:30 bytes 0 SYN Timeout

13 REPLIES

Re: Multiple Global to a Single Local IP

Could you provide more information, are you trying to use same inbound tcp port ? let us know otherwise.

inside IP host 10.1.1.1

Assume outside global addresses are 10.198.8.40 , 10.198.8.41 , 10.198.8.42

Target TCP port 3101 on 10.1.1.1

Your static Policy nat

static (inside,outside) 10.198.8.40 access-list policy_nat_1

static (inside,outside) 10.198.8.41 access-list policy_nat_2

static (inside,outside) 10.198.8.42 access-list policy_nat_3

your policy nat acl

access-list policy_nat_1 extended permit ip host 10.1.1.1 any

access-list policy_nat_2 extended permit ip host 10.1.1.1 any

access-list policy_nat_3 extended permit ip host 10.1.1.1 any

your outside inbound acl

access-list outside_access_in extended permit tcp any host 10.198.8.40 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.41 eq 3101 log

access-list outside_access_in extended permit tcp any host 10.198.8.42 eq 3101 log

Regards

PLS rate helpful posts

New Member

Re: Multiple Global to a Single Local IP

The static nat is set up for a site to site vpn. My problem is that whenever I add the static policy nat. It stops my server to communicate to host 204.18.8.3 on port 3101. I have an outbound rule created for this traffic. If I remove the static policy nat, the traffic to host 204.18.8.3 on port 3101 works fine. Somehow the static nat is breaking the traffic to that host. Please let me know if I was clear enough.

Thanks,

Re: Multiple Global to a Single Local IP

Thanks for the additional information , without seeing the config is hard to see what could be braking the traffic flow.. nat rules, global rules etc..

New Member

Re: Multiple Global to a Single Local IP

I've attached my config file.

Thanks,

Re: Multiple Global to a Single Local IP

deleted

HTH, John *** Please rate all useful posts ***
New Member

Re: Multiple Global to a Single Local IP

Hi,

- have you debug the nat on the FW ?

- check the NAT before and after when you configure the policy nat ?

Try to use:

sh xlate debug

sh xlate debug | i "IP_address"

New Member

Re: Multiple Global to a Single Local IP

I never debug nat on the ASA before. This is a very strange problem because I can access port 443 and 80 ect.. But I can not access port 3101.

New Member

Re: Multiple Global to a Single Local IP

Ok.

Give a try to following command:

1) sh xlate debug (to see if the nat works for the particular port)

2) configure a capture (to sniff the traffic iside and outside)

3) contact the TAC tac@cisco.com

Re: Multiple Global to a Single Local IP

Allen, can you also PLS post any relevant real time ASDM logs when trying to access the server on that port. I'll take a look at the config carefully.

Regards

New Member

Re: Multiple Global to a Single Local IP

Thank you very much, below is the real time log when I initiate the session from my laptop.

REAL TIME LOG

-----------------------

6|Dec 29 2008|09:21:54|302013|206.51.26.33|3101|10.1.1.1|2604|Built outbound TCP connection 185635064 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2604 (10.198.8.40/2604)

6|Dec 29 2008|09:20:56|302014|206.51.26.33|3101|10.1.1.1|2581|Teardown TCP connection 185632176 for outside:206.51.26.33/3101 to inside:10.1.1.1/2581 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:20:26|302013|206.51.26.33|3101|10.1.1.1|2581|Built outbound TCP connection 185632176 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2581 (10.198.8.40/2581)

6|Dec 29 2008|09:18:19|302014|206.51.26.33|3101|10.1.1.1|2545|Teardown TCP connection 185625989 for outside:206.51.26.33/3101 to inside:10.1.1.1/2545 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:36|302014|206.51.26.33|3101|10.1.1.1|2440|Teardown TCP connection 185609323 for outside:206.51.26.33/3101 to inside:10.1.1.1/2440 duration 0:00:30 bytes 0 SYN Timeout

6|Dec 29 2008|09:10:06|302013|206.51.26.33|3101|10.1.1.1|2440|Built outbound TCP connection 185609323 for outside:206.51.26.33/3101 (206.51.26.33/3101) to inside:10.1.1.1/2440 (10.198.8.40/2440)

New Member

Re: Multiple Global to a Single Local IP

Have you tried to run clear xlate and clear nat after change the rule?

Silver

Re: Multiple Global to a Single Local IP

There is a KNOWN issue with clear xlate, according to CSCee2689. You need to use

"clear localhost" instead, depending on the

code version

New Member

Re: Multiple Global to a Single Local IP

I cleared local-host entries but it's not working.

343
Views
0
Helpful
13
Replies