Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Rule not working Static

Hello I have a problem with a nat rule, I have setup a device(Video Conferencing) on the DMZ that needs to talk to the internet.

The nat rule is just a normal setup

 nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239

there is only one ACL list for the 192.168.69.125 it is a permit IP any 

access-list DMZ line 2 extended permit ip host 192.168.69.125 any log debugging interval 300

I have done a few capture off the firewall 

capture video interface dmZ match ip any host 192.168.69.125

I never see the 172.16.69.239 address

capture video interface outside match ip any host 172.16.69.239

I never see the 192.168.69.125 address 

Here is capture i was trying 

capture video type raw-data interface DMZ [Capturing - 0 bytes]
  match ip host 192.168.69.125 host 172.16.69.239

any ideas or commands i can run 

Please 

 

Everyone's tags (1)
8 REPLIES
VIP Purple

What is the output of the

What is the output of the packet-tracer when simulating traffic for that device?

packet-tracer input DMZ udp 192.168.69.125 1234 172.16.69.239 1234


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Result:input-interface:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

 

After Phase 1 though 9 results are allow 

VIP Purple

Please show the actual config

Please show the actual config of the ASA.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Firewall# packet-tracer input

Firewall# packet-tracer input dmZ udp 192.168.69.125 1234 172.16.69.239 $

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.69.224  255.255.255.224 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ in interface DMZ
access-list DMZ extended permit ip host 192.168.69.125 any log debugging
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:
Static translate 192.168.69.125/1234 to 172.16.69.239/1234

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE out interface Outside control-plane
access-list OUTSIDE extended permit ip any4 any4 log debugging
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

VIP Purple

In your first post you say

In your first post you say that you translate to 172.16.69.125, but in the packet-tracer you translate to .239.

Please specify exactly how you want to translate the traffic and which systems should communicate exactly.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Sorry I correct it it is

Sorry I correct it 

it is .239

I found that I was missing a outside acl line as well I am getting a username and password problem now, instead of server has rejected the connection.

 

VIP Purple

That means, for the ASA

That means, for the ASA-config everything is fine now?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Still working on this problem

Still working on this problem but I believe this part is fixed

 

403
Views
0
Helpful
8
Replies