Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

not able to reach ASA ouside nat ip from inside

 

Hi..

 

I have a ASA 5525 ver 9.1(2). I have a inside interface 10.110.10.0/24 and outside network 115.112.94.0/27. I have natted a inside server with ip 115.112.94.10 and when trying to reach this public ip from inside machine, i can not reach this public ip.

I have disabled anti spoofing and enabled same security permit traffic inter and intra interface, also had open ACL but still dont work.

Pls help what could be issue.

15 REPLIES

Hi , Could you please share

Hi ,

 Could you please share me your ASA config ?? or NAT config 

 

HTH

Sandy

New Member

  NAT config..object network

 

 NAT config..

object network obj-10.110.10.112
 nat (inside,outside) static 115.112.94.10
 

 

Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                115.112.94.2   255.255.255.224   manual
GigabitEthernet0/1       inside                 10.110.10.1   255.255.255.0   CONFIG

 

This ip(115.112.94.10) is reachable from public network. But not from behind firewall.
 

New Member

Hi Anukalp add a (inside

Hi Anukalp

 

add a (inside,inside) to make this work

 

you are trying to do a U-turn here,

TRY ADDING THE FOLLOWING:

object network obj-10.110.10.112
 nat (inside,inside) static 115.112.94.10

 

Cheers 

 

Naveen

 

Hope it helps Cheers, Naveen Please Rate Helpful posts.
New Member

Hi. Should i add above nat

Hi.

 Should i add above nat statement along with which i shared above, also let me know if it does not cause any other issue because this is server and it is in production.

Also let me know if any ports are also required to allow. I already had allowed all required ports from outside.

Hi  Add below command this

Hi 

 Add below command this will not cause any issue for traffic , this configuration ensures NATing for inside to inside Access .

object network Public_Server

host 115.112.94.10

nat (inside,inside) source dynamic any interface destination static Public_Server obj-10.110.10.112

same-security-traffic permit intra-interface

 

HTH

Sandy

 

New Member

Thanks Santosh, i have a

Thanks Santosh, i have a guest network on firewall too and guest network can connect to this server through public ip only so any other nat rule do i need to place for this also.

Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 115.112.94.2 255.255.255.224 manual
GigabitEthernet0/1 inside 10.110.10.1 255.255.255.0 CONFIG

GigabitEthernet0/2 guest 192.168.1.1 255.255.255.0 CONFIG

Hi , This NAT is applicable ,

Hi ,

 This NAT is applicable , when you are connecting from inside segment 10.110.10.0/24 . Not for Guest segment . 

For Guest Segment server must be accessible with public IP address . 

 

HTH

Sandy

New Member

 Hi Sandy.. i need to get

 

Hi Sandy.. i need to get this access from guest network, this guest network is like inside network but it has no connectivity to inside(denied by ACL), aslo users connecting on guest network gets ip of same pool configured on firewall guest interface. guest network is allowed only for internet traffic and natted with one of firewall outside interface ip pool. It can only communicate with server public ip.

Is it not possible to reach public ip of server from guest network.

New Member

Someone tell me if this

Someone tell me if this poosible to access natted server ip from guest network.

Pls help.

It should be work from Guest

It should be work from Guest Network . You should able to access it via Public IP address without any issue.

 

HTH

Sandy

New Member

Hi Sandy.. It is not working,

Hi Sandy.. It is not working, guest netowork is also dynamic pat with a ip of outside network pool and this inside server is too static nat   with a ip of outside network pool. Where is it getting blocked. Should there be no commnication in this scenario.

Hi , Can you share me packet

Hi ,

 Can you share me packet tracer output running from your DMZ interface towards Public IP address .

Else open a webex session to trouble fix on this .

HTH

Sandy

New Member

hi...pls see below logs Phase

hi...

pls see below logs

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff33eab610, priority=1, domain=permit, deny=false
        hits=222687464, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=wireless, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   115.114.94.0   255.255.255.224   outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WIFI in interface wireless
access-list WIFI extended permit ip 192.168.1.0 255.255.255.0 any Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff349c2950, priority=13, domain=permit, deny=false
        hits=4244997, user_data=0x7fff2c4810c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.200.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=wireless, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-192.168.1.0
 nat (wireless,outside) dynamic 115.114.94.14 Additional Information:
Dynamic translate 192.168.1.144/0 to 115.114.94.14/65296  Forward Flow based lookup yields rule:
 in  id=0x7fff34e13cf0, priority=6, domain=nat, deny=false
        hits=625308, user_data=0x7fff35a33c30, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.1.218, mask=255.255.255.192, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=wireless, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff32fc1830, priority=0, domain=nat-per-session, deny=true
        hits=73239394, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff34b458d0, priority=0, domain=inspect-ip-options, deny=true
        hits=4297048, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=wireless, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff352fad60, priority=70, domain=inspect-icmp, deny=false
        hits=10146, user_data=0x7fff35771490, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=wireless, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff34b45200, priority=66, domain=inspect-icmp-error, deny=false
        hits=19798, user_data=0x7fff33b9ea50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=wireless, output_ifc=any

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff36dd2f10, priority=18, domain=flow-export, deny=false
        hits=1475363, user_data=0x7fff3553ca30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=wireless, output_ifc=any

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff3775d290, priority=0, domain=user-statistics, deny=false
        hits=56046448, user_data=0x7fff34f8ffa0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff32fc1830, priority=0, domain=nat-per-session, deny=true
        hits=73239396, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff34af96a0, priority=0, domain=inspect-ip-options, deny=true
        hits=128152752, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0x7fff3775d650, priority=0, domain=user-statistics, deny=false
        hits=884040, user_data=0x7fff34f8ffa0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=wireless

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143923582, packet dispatched to next module Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: wireless
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

New Member

How can we connect outside

How can we connect outside address from inside ...those r for outsiders only right ...insiders have inside address only to use.

 Hi , Apply below

 

Hi ,

 Apply below commands

object network Public_Server

host 115.112.94.10

! existing comand on your ASA you can ignore below object 

object network obj-10.110.10.112

host 10.110.10.112

nat (inside,inside) source dynamic any interface destination static Public_Server obj-10.110.10.112

same-security-traffic permit intra-interface

 

HTH

Sandy

89
Views
8
Helpful
15
Replies