10-21-2007 09:12 PM - edited 03-11-2019 04:28 AM
Hi,
I'm trying to create a static NAT for an outside server to access an inside server
static (inside,outside) a.b.c.d 1.2.3.4 netmask 255.255.255.255
Xlate table shows that static NAT took place
Packet capture shows the destination IP address becomes 0.0.0.0, which really puzzles me.
Is someone able to shed some light on this?
Thanks
/chunsing
-----------------------------
ASA# sh cap ACS trace
42 packets captured
1: 10:58:57.102732 <IP_Addr_of_ext_svr>.2406 > a.b.c.d.1645: udp 54
<...truncated ...>
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit ip object-group EJPROXY_SVRS host a.b.c.d
object-group network EJPROXY_SVRS
network-object host <IP_Addr_of_ext_svr>
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4666550, priority=12, domain=permit, deny=false
hits=7, user_data=0x45a8278, cs_id=0x0, flags=0x0, protocol=0
src ip=<IP_Addr_of_ext_svr>, mask=255.255.255.255, port=0
dst ip=a.b.c.d, mask=255.255.255.255, port=0
<...truncated ...>
Phase: 5
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e43060, priority=12, domain=capture, deny=false
hits=1, user_data=0x4596d30, cs_id=0x461cf98, reverse, flags=0x0, protocol=0
src ip=<IP_Addr_of_ext_svr>, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0 *****dst IP becomes 0.0.0.0******
-----------------------------
10-22-2007 08:17 AM
Hi Chun, few questions for you.
1- Do you have any other static working or is it only this static that does not work?
2- make sure inside host does not have firewall turned on.
3- make sure hosts is listening to ports you have indicated in your access-list for this static nat translation.
could you post the output of the follwing:
If running code 6.x
"show sysopt "
if running 7.x,8.x
"show running-config sysopt "
10-23-2007 06:57 PM
Hi Jorgemcse,
Thanks for your reply.
1) This is the only static that isn't work.
2 & 3) The inside host doesn't have firewall and is able to response to requests from another internal hosts.
ICES-ASA# show running-config sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
ICES-ASA#
10-23-2007 09:03 PM
I suspected something else with sysopt output,are you allowing TCP ports or IP services ? I think the problem could be in your acl allowing IP instead of TCP services .
e.g. I lab this out with defining an outside group called vendor_group and their forein Ip address, then defined TCP service group called TES_Group allowing domain, ftp , rdp TCP services to access inside host a.b.c.d the acl should be:
access-list outside__in extended permit tcp object-group OUtside_Vendor host a.b.c.d object-group TEST_GROUP
access-group outside_in in interface outside
or somewhere along these lines, define the ouside hosts in your network object group as well as define the TCP services object group to be allowed.
10-23-2007 09:51 PM
Hi, have checked my acl and is same as your suggestion
--------------
access-list outside_in extended permit udp object-group EJPROXY_SVRS host a.b.c.d eq radius
object-group network EJPROXY_SVRS
network-object host
network-object host
---------------
Doing a "show access-list outside_in" indicates that acl is matched.
I've done a permit any-any but still can't work.
10-23-2007 10:09 PM
how is the static nat translation does it have a unique public IP for the inside host?
for sake of testing create tcp rdp acl and test from outside doing "telnet PublicIP 3389" to see if you can reach it.
10-23-2007 10:30 PM
your acl is still udps instead of tcp, it is on what the the server is listening , if you do on the server netstat you will note TCP listening ports not udp and that could be reason you're not hiting it.
10-24-2007 05:50 AM
Hi Jorgemcse,
Thanks for your assistance, the server is listening for radius on 1645/udp rather that tcp. As suggested I've verified using netstat.
In fact, I've done a permit ip any-any which should include all udp and tcp packets, but server is not receiving the packets.
There is a unique public NAT for the internal server as well. I believe the flow breaks after the translation (outside to inside) where destination IP address becomes 0.0.0.0 hence packet goes back out the outside interface (default route is to outside interface)
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: