Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nat issue

Hi,

I am having a NAT issue an I am not sure what is going on.  I have tried configuring nat exempt but that didn't solve the issue.

ASA 5520

version 8.2

My client has the inside network on interface gig0/1.100 and the guest network on gig0/2.200.  The whole 10.77.1.0/24 network needs to be able to reach the server with IP 10.47.47.80 using HTTP.  The access list is in place ont the guest interface to allow traffic to the server.  The problem is that when I do a packet trace to see the traffic flow, it is dropped on a NAT rpf-check.

NAT control is disabled.

fw-001# packet-tracer input languest tcp 10.77.1.2 4444 10.47.47.80 www detail

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.47.32.0      255.255.224.0   inside

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.77.1.0       255.255.255.0   languest

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group languest in interface languest
access-list languest extended permit tcp 10.77.0.0 255.255.0.0 host 10.47.47.80 eq www
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcf9a8d68, priority=12, domain=permit, deny=false
        hits=24, user_data=0xca3a2880, cs_id=0x0, flags=0x0, protocol=6
        src ip=10.77.0.0, mask=255.255.0.0, port=0
        dst ip=10.47.47.80, mask=255.255.255.255, port=80, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcccf80d0, priority=0, domain=inspect-ip-options, deny=true
        hits=20976, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc9d9560, priority=21, domain=lu, deny=true
        hits=29, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (languest,telenorguest) 10.77.1.0 10.77.1.0 netmask 255.255.255.0
  match ip languest 10.77.1.0 255.255.255.0 telenorguest any
    static translation to 10.77.1.0
    translate_hits = 3682, untranslate_hits = 6954
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xccd78a00, priority=5, domain=host, deny=false
        hits=16886022, user_data=0xccd783c0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.77.1.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any languest any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xccd6e600, priority=1, domain=nat-reverse, deny=false
        hits=25, user_data=0xccd6e390, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: languest
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas why this is happening?

Thanks

  • Firewalling
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Nat issue

Hello,

Is the server on the telenorguest interface?

And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.

Try with this static:

static (telenorguest,languest) 10.47.47.80 10.47.47.80

Let me know if this works for you

2 REPLIES
New Member

Nat issue

Hello,

Is the server on the telenorguest interface?

And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.

Try with this static:

static (telenorguest,languest) 10.47.47.80 10.47.47.80

Let me know if this works for you

New Member

Nat issue

Ugh!!! so simple.  I should have thought of that.  thanks :-)

if it wasn't obvious, it worked.

289
Views
0
Helpful
2
Replies