Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2315
Views
0
Helpful
8
Replies

Static PAT issue with 8.4

Go to solution
Lee Breinich
Level 1
Level 1

‎02-19-2012 11:09 AM - edited ‎03-11-2019 03:32 PM

I have a simple small network setup here, and trying to setup a simple Static PAT on HTTPS, for some reason the NAT rule is dropping the packet.  Here is the setup.

Internal Subnet: 172.31.0.0/24

External Internet DHCP

Host object: 172.31.0.13

There is also a SSL anyconnect VPN setup but is using port 444.

object network obj_any-01

nat (inside,outside) dynamic interface

object network LD-App01

nat (inside,outside) static interface service tcp https https

!

nat (inside,any) after-auto source static obj-172.31.0.0 obj-172.31.0.0 destination static Personal-VPN Personal-VPN no-proxy-arp

object network obj-172.31.0.0

subnet 172.31.0.0 255.255.255.0

object network Personal-VPN

subnet 172.31.1.0 255.255.255.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network LD-App01

host 172.31.0.13

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 object Personal-VPN

access-list Personal-VPN-ACL standard permit 172.31.0.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any object LD-App01 eq https

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

Here is the packet trace

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.31.0.0      255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any object LD-App01 eq https

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network LD-App01

nat (inside,outside) static interface service tcp https https

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Please Help...

Thanks,

Lee

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-19-2012 01:48 PM

Hello Lee,

The configuaration looks good to me, I would make the following:

object network outside_interface_ip

host x.x.x.x.x

object service https

service tcp source eq 443

object network LD-App01

no  nat (inside,outside) static interface service tcp https https

nat (inside,outside) 1 source static LD-App01 outside_interface_ip service https   https

Give it a try and let me know regards,

Julio

Do rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-19-2012 01:48 PM

Hello Lee,

The configuaration looks good to me, I would make the following:

object network outside_interface_ip

host x.x.x.x.x

object service https

service tcp source eq 443

object network LD-App01

no  nat (inside,outside) static interface service tcp https https

nat (inside,outside) 1 source static LD-App01 outside_interface_ip service https   https

Give it a try and let me know regards,

Julio

Do rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Lee Breinich
Level 1
Level 1
In response to Julio Carvajal

‎02-19-2012 02:09 PM

Tried your recomendation but ran into a error.

I created the object outside_int_ip with the outside ip.

Then tried to create the nat as you have listed but got the following error.

nat (inside,outside)1 source static LD-App01 outside_int_ip service https https

                    ^

ERROR: % Invalid input detected at '^' marker.

LD-FW01(config-network-object)# nat (inside,outside) 1 source static LD-App01 $

ERROR: Address 75.188.84.144 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Thanks,

Lee

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Lee Breinich

‎02-19-2012 02:18 PM

Hello Lee,

It should not have failed!

You placed the object right, not the Ip?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Lee Breinich
Level 1
Level 1
In response to Julio Carvajal

‎02-19-2012 02:25 PM

Here is the current object list and the nat command with the failure message.  I'm also running the current 8.4(3)

LD-FW01# show run ob

object network obj-172.31.0.0

subnet 172.31.0.0 255.255.255.0

object network Personal-VPN

subnet 172.31.1.0 255.255.255.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network LD-App01

host 172.31.0.13

description Spiceworks

object service https

service tcp source eq https

object network outside_int_ip

host 76.188.84.144

LD-FW01# con t

LD-FW01(config)# object network LD-App01

LD-FW01(config-network-object)# nat (inside,outside) 1 source static LD-App01 $

ERROR: Address 75.188.84.144 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Lee Breinich

‎02-19-2012 02:28 PM

Hello,

You need to do it outside the object network that is the problem!

So just by being on config te add the nat command  I gave you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Lee Breinich
Level 1
Level 1
In response to Julio Carvajal

‎02-19-2012 02:36 PM

still getting the same error.

LD-FW01(config)# nat (inside,outside) 1 source static LD-App01 outside_int_ip $

ERROR: Address 75.188.84.144 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

0 Helpful

Go to solution
Lee Breinich
Level 1
Level 1
In response to Lee Breinich

‎02-20-2012 05:54 AM

For Julio and anyone else who may read this.  The origional config I posted worked just fine though for some reason the NAT in the packet trace still shows as being dropped.  The actual issue is that the server I was Natting to closed the 443 (https) port for some reason.  As soon as I fixed the port issue on the server, I was able to NAT correctly through the ASA.

Thanks,

Lee

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Lee Breinich

‎02-20-2012 09:24 AM

Hello Lee,

Glad to hear everything is working now.

Just in case the one option I gave you should be like this

nat (inside,outside) 1 source static LD-App01 interface service https   https

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card