Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static NAT on ASA 5520-version 9.1(2)

Hi All ,

I have an issue with static NAT on ASA 5520 Version 9.1(2) firewall.

Configuration as below 

interface GigabitEthernet0/0

 description outside

 nameif OUTSIDE

 security-level 0

 ip address 10.x.x.x 255.255.255.0

!interface GigabitEthernet0/2

 description dmz1

 nameif dmz1

 security-level 50

 ip address 10.10.10.1 255.255.255.0

nat configuration

object network obj-10.10.10.2

host 10.10.10.2

 nat (dmz1,OUTSIDE) static obj-213.x.x.x

ACL

access-list OUTSIDE_access_in line 1 extended permit tcp host 76.x.x.x host 10.10.10.2 eq ssh

access-list dmz1_access_in line 24 extended permit tcp host 10.10.10.2 host 76.x.x.x eq ssh

Packet-tracer output

asa# packet-tracer input outside tcp 76.x.x.x 22 213.x.x.x 22

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-10.10.10.2

 nat (dmz1,OUTSIDE) static obj-213.x.x.x

Additional Information:

NAT divert to egress interface dmz1

Untranslate 213.x.x.x/22 to 10.10.10.2/22

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE_access_in in interface OUTSIDE

access-list OUTSIDE_access_in extended permit ip host 76.x.x.x host 10.10.10.2 eq ssh

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IDS

Subtype:

Result: ALLOW

Config:

class-map IPS

 match any

policy-map global_policy

 class IPS

  ips inline fail-open

service-policy global_policy global

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network obj-10.10.10.2

 nat (dmz1,OUTSIDE) static obj-213.x.x.x

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20646801, packet dispatched to next module

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: dmz1

output-status: up

output-line-status: up

Action: allow

 acl output

access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x eq ssh host 10.10.10.2 eq ssh (hitcnt=0) 0x933a0526
But I tried to telnet 213.x.x.x  22 ,  but no luck .

I would appreciate help on this matter . 

8 REPLIES

It looks like the other post

It looks like the other post we were working on got deleted or something. You mentioned you see no access-list hits for OUTSIDE_access_in.  

I noticed your outside interface is on a 10.x.x.x IP range yet your public IP is 213.x.x.x.  Is it possible that your ISP's device is not in bridged mode to allow the public assigned IP range through to your firewall?  I would start there...

Community Member

sorry for that , moved to

sorry for that , moved to firewall section  , ISP device is bridged mode , other public ip address are working fine ,  checked with ISP and confirmed that  directly routed to our firewall  . 

while we are checking the packet trace all status are allow and up . 

Try modifying the ACE in your

Try modifying the ACE in your ACL.  It is very unlikely that the source port of your public IP trying to SSH is 22.

 

instead of:

access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x eq ssh host 10.10.10.2 eq ssh

try:

access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x host 10.10.10.2 eq ssh

 

Also confirm the source IP 76.x.x.x is correct when performing your test.

Community Member

modified the access- list

modified the access- list with any

access-list OUTSIDE_access_in line 27 extended permit ip host 76.x.x.x any4 .. but no luck 

I have doubts there are lots of existing Nat rules , it will make any issue ?

 

 

Community Member

Hi Karthik , you're right ,

Hi Karthik , 

you're right ,  trying to accessing from outside ,

ISP provided the private ip address to connect their device , we have 30 Public ip address , some of them used and working . 

 

Hi Sameer,I am bit confused

Hi Sameer,

I am bit confused here.... if you have the inetrnet router connected to the fw you can use the public IP's on outside interface right.... or you have the private LAN in between internet and fw segment.... because case to case it differs...

 

Also you said some are working... are they configured in the same manner which is working???

 

Regards

Karthik

Community Member

John , It seems issue on ISP

John , It seems issue on ISP , used another public ip address and working fine.

.Karthik , this data center belongs to the ISP and they provided the private IP address to configure on the outside .  sorry I have no more information to explain ,don’t have access to ISP device .

Thanks for all your support . 

Hi Sameer, Hope you are

Hi Sameer,

 

Hope you are trying to access from outside ( Internet ) to a server in DMZ right???

 

is the outside interface is connecetd to a public network directly???? bcoz i see some 10.x.x.x mentioned there????

Regards

Karthik

 

 

871
Views
0
Helpful
8
Replies
CreatePlease to create content