04-15-2014 05:01 AM - edited 03-11-2019 09:04 PM
Hi All ,
I have an issue with static NAT on ASA 5520 Version 9.1(2) firewall.
Configuration as below
interface GigabitEthernet0/0
description outside
nameif OUTSIDE
security-level 0
ip address 10.x.x.x 255.255.255.0
!interface GigabitEthernet0/2
description dmz1
nameif dmz1
security-level 50
ip address 10.10.10.1 255.255.255.0
nat configuration
object network obj-10.10.10.2
host 10.10.10.2
nat (dmz1,OUTSIDE) static obj-213.x.x.x
ACL
access-list OUTSIDE_access_in line 1 extended permit tcp host 76.x.x.x host 10.10.10.2 eq ssh
access-list dmz1_access_in line 24 extended permit tcp host 10.10.10.2 host 76.x.x.x eq ssh
Packet-tracer output
asa# packet-tracer input outside tcp 76.x.x.x 22 213.x.x.x 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-10.10.10.2
nat (dmz1,OUTSIDE) static obj-213.x.x.x
Additional Information:
NAT divert to egress interface dmz1
Untranslate 213.x.x.x/22 to 10.10.10.2/22
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_access_in in interface OUTSIDE
access-list OUTSIDE_access_in extended permit ip host 76.x.x.x host 10.10.10.2 eq ssh
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map IPS
match any
policy-map global_policy
class IPS
ips inline fail-open
service-policy global_policy global
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-10.10.10.2
nat (dmz1,OUTSIDE) static obj-213.x.x.x
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20646801, packet dispatched to next module
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: dmz1
output-status: up
output-line-status: up
Action: allow
acl output
access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x eq ssh host 10.10.10.2 eq ssh (hitcnt=0) 0x933a0526
But I tried to telnet 213.x.x.x 22 , but no luck .
I would appreciate help on this matter .
04-15-2014 07:02 AM
It looks like the other post we were working on got deleted or something. You mentioned you see no access-list hits for OUTSIDE_access_in.
I noticed your outside interface is on a 10.x.x.x IP range yet your public IP is 213.x.x.x. Is it possible that your ISP's device is not in bridged mode to allow the public assigned IP range through to your firewall? I would start there...
04-15-2014 07:14 AM
sorry for that , moved to firewall section , ISP device is bridged mode , other public ip address are working fine , checked with ISP and confirmed that directly routed to our firewall .
while we are checking the packet trace all status are allow and up .
04-15-2014 07:20 AM
Try modifying the ACE in your ACL. It is very unlikely that the source port of your public IP trying to SSH is 22.
instead of:
access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x eq ssh host 10.10.10.2 eq ssh
try:
access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x host 10.10.10.2 eq ssh
Also confirm the source IP 76.x.x.x is correct when performing your test.
04-15-2014 07:24 AM
modified the access- list with any
access-list OUTSIDE_access_in line 27 extended permit ip host 76.x.x.x any4 .. but no luck
I have doubts there are lots of existing Nat rules , it will make any issue ?
04-15-2014 08:12 AM
Hi Karthik ,
you're right , trying to accessing from outside ,
ISP provided the private ip address to connect their device , we have 30 Public ip address , some of them used and working .
04-16-2014 03:18 AM
Hi Sameer,
I am bit confused here.... if you have the inetrnet router connected to the fw you can use the public IP's on outside interface right.... or you have the private LAN in between internet and fw segment.... because case to case it differs...
Also you said some are working... are they configured in the same manner which is working???
Regards
Karthik
04-16-2014 11:38 AM
John , It seems issue on ISP , used another public ip address and working fine.
.Karthik , this data center belongs to the ISP and they provided the private IP address to configure on the outside . sorry I have no more information to explain ,don’t have access to ISP device .
Thanks for all your support .
04-15-2014 07:31 AM
Hi Sameer,
Hope you are trying to access from outside ( Internet ) to a server in DMZ right???
is the outside interface is connecetd to a public network directly???? bcoz i see some 10.x.x.x mentioned there????
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: