Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT Rule Blocking Traffic?

I am pretty confused about a firewall setup I inherited that is causing me some problems. It's an ASA 5505 configured with the standard Inside and Outside networks, plus a DMZ and a Test LAN. I am trying to get a backup solution configured that of course requires agents installed on the hosts to talk to the central console. The central console is installed on the DMZ in the 192.168.10.0/24 network. The server with the agent is installed on the 192.168.100.0/24 Test network. I added an ACL via the ADSM as follows:

access-list TEST_access_in line 3 extended permit object-group DM_INLINE_PROTOCOL_2 host 192.168.10.4 any
  access-list TEST_access_in line 3 extended permit ip host 192.168.10.4 any
  access-list TEST_access_in line 3 extended permit icmp host 192.168.10.4 any
  access-list TEST_access_in line 3 extended permit tcp host 192.168.10.4 any

When I tested this through the packet trace tool, it failed. It says it failed due to the following:

nat (TEST) 1 0.0.0.0 0.0.0.0

nat-control

match ip TEST any inside any

dynamic translation to pool 1 (192.168.20.1 [Interface PAT])

translate_hits=2, untranslate_hits=0

I have asolutely no idea what this means. I thought NAT just determined what kind of address translation you have for your unrouteable IPs. I don't know why it would be blocking access between two networks. Can anyone give me some ideas or information about what this is referring to and what I might be doing wrong?

Thanks in advance.

3 REPLIES
Cisco Employee

Re: NAT Rule Blocking Traffic?

Please post the interface and nat configuration. This is a natting issue. Also, it would be nice if you could post the packet tracer output and the ip addresses you are testing from.

PK

New Member

Re: NAT Rule Blocking Traffic?

Thanks! Here is the config of the interfaces:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 155.212.203.186 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan13
nameif TEST
security-level 100
ip address 192.168.100.1 255.255.255.0

Here are the NAT statetements:

access-list dmz_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.100.0 255.255.255.0
*********************************

nat-control
global (inside) 1 interface
global (outside) 1 interface
global (dmz) 2 interface
global (TEST) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (TEST) 1 0.0.0.0 0.0.0.0
static (TEST,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 dns
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,TEST) 192.168.100.0 192.168.20.0 netmask 255.255.255.0
static (TEST,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
***************************

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group TEST_access_in in interface TEST

I am trying to connect from IP 192.168.10.4 in the DMZ network to 192.168.20.220 on the inside LAN. With no changes to the configuration from me I do a packet trace from the DMZ. The output is this

I perform the same test on the inside interface, no change made to the existing config, and I get this:

So, I figure I need to add an ACL to prevent the implicit deny rule. I create a rule permitting source 192.168.10.4 to 192.168.20.220, protocols IP and TCP, and apply it to the inside of the inside interface. I do the same test as before and I get this:

Having thought about this since my post, I do need to mention that the source IP (192.168.10.4) has a static NAT to a public IP in the config. So, presumably when traffic from that host leaves the ASA it gets translated to the public IP. I did try changing my ACLs to the public IP instead, but that also didn't work so I doubt that I'm barking up the right tree.

Cisco Employee

Re: NAT Rule Blocking Traffic?

You are not running packet tracer for  the return traffic properly.

If you run it for traffic hitting the inside the sourced will be 192.168.20./24 destined to 192.168.10.4.

The config looks good for this flow..

PK

436
Views
0
Helpful
3
Replies
CreatePlease to create content