Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static NAT issue

Hi Experts,

Please help me on this. I have attached my network diagram with this post.
My firewall is cisco ASA 5510 running with software version 8.4. I have configured static NAT for three servers (in diagram, server 1,2 and 3). The issue is, the static NAT is only working with the first server. No traffics are  going in and out from other two server (Server 2 and 3). All servers are in DMZ.

When I remove the static NAT for the server 2 and 3, all the traffic is going from the server with WAN IP of the firewall, that means the dynamic NAT is working. I have attached the configuration file also.

(NOTE: NAT is working for the Server 72.16.34.1)

Regards,
Ejaz

 

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Ejaz,Would you be able to

Hi Ejaz,

Would you be able to try this workaround:-

https://supportforums.cisco.com/blog/149276/asapix-proxy-arp-vs-gratuitous-arp

I think the issue is with the IP addresses provided by the ISP.

Thanks and Regards,

Vibhor Amrodia

12 REPLIES
Cisco Employee

Hi Ejaz,Can you please verify

Hi Ejaz,

Can you please verify the NAT statements for only the servers which are not wokring. It is very difficult to search it through the configuration which you have provided.

Also , you can send the Packet Tracer outputs form the outside to DMZZ for the Servers which are not working.

Thanks and Regards,

Vibhor Amrodia

New Member

Hi Vibhor, I have attached

Hi Vibhor,

 I have attached the NAT configuration of one the server that having issue. Also please see that pact tracer output :

ASA5510# packet-tracer input Outside tcp 4.2.2.2 12345 w.w.w.w 80 detaile$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
 nat (DMZ,Outside) static 23.30.88.139 dns
Additional Information:
NAT divert to egress interface DMZ
Untranslate w.w.w.w/80 to 172.16.34.3/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-VOIPSRV-02-172.16.34.3 eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac8f08c0, priority=13, domain=permit, deny=false
        hits=1, user_data=0xa9863780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.3, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=152903, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=10024, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaca29438, priority=50, domain=ids, deny=false
        hits=33660, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=65250, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
 nat (DMZ,Outside) static w.w.w.w dns
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaeb79b70, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xafa57f48, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.3, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=41909, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=64267, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=150381, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 609401, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

 

Cisco Employee

Hi Ejaz,Thank you for the

Hi Ejaz,

Thank you for the reply. To be sure all the public IP being used for Nat on the ASA device are in the Outside Interface Pool ? Correct ?

If no , add this command:- arp permit-nonconnected

If yes , i think the issue might not be with the ASA device. Are these some new IP addresses and have we used it before ?

I would request you to apply the captures on the ASA device interfaces and see which device is not replying:-

capture capout interface Outside match ip host <Public IP of server which is not working> any

capture capin interface DMZ match ip host <Private IP of server which is not working> any

Send me the captures if required.

Thanks and Regards,

Vibhor Amrodia

New Member

HiThank you for the reply.

Hi

Thank you for the reply.

"outside interface pool"??? I didn't get. Could you please explain this to me??

I am using the public IP addresses  in the same IP block provided by ISP.  When I configured the public IP in the server and connected it direcly to the ISP router, it was working fine.

Regards

Ejaz

Cisco Employee

Hi Ejaz,For ex:- If you have

Hi Ejaz,

For ex:- If you have the External Interface configured as :-

ip address 1.1.1.1 255.255.255.248

The Natted Ip should be within this range of IP addresses:-

For Ex:- 1.1.1.1 -1.1.1.6.

If not , you would need this command on the ASA device:-

arp permit-nonconnected

Thanks and Regards,

Vibhor Amrodia

New Member

Hi Vibhor,Thank you so much

Hi Vibhor,

Thank you so much for that quick response.

We are using the IP addresses in the same pool.

 

Regards

Ejaz

Cisco Employee

Hi Ejaz,Then , I think you

Hi Ejaz,

Then , I think you should proceed with the captures on the ASA device interfaces.

Thanks and Regards,

Vibhor Amrodia

New Member

Hi VibhorI have attached the

Hi Vibhor

I have attached the capture result with the post.

I tried to ping from the server to the IP 8.8.8.8

 

Regards,

Ejaz

Cisco Employee

Hi Ejaz,I think as you can

Hi Ejaz,

I think as you can see in the captures , we only see Uni-directional traffic through the ASA device and no reply from the Outside server.

This can mean that the IP Addresses might not be working.

Is this ASA device in production at this moment ?

Thanks and Regards,

Vibhor Amrodia

 

153
Views
10
Helpful
12
Replies
This widget could not be displayed.