02-19-2012 11:09 AM - edited 03-11-2019 03:32 PM
I have a simple small network setup here, and trying to setup a simple Static PAT on HTTPS, for some reason the NAT rule is dropping the packet. Here is the setup.
Internal Subnet: 172.31.0.0/24
External Internet DHCP
Host object: 172.31.0.13
There is also a SSL anyconnect VPN setup but is using port 444.
object network obj_any-01
nat (inside,outside) dynamic interface
object network LD-App01
nat (inside,outside) static interface service tcp https https
!
nat (inside,any) after-auto source static obj-172.31.0.0 obj-172.31.0.0 destination static Personal-VPN Personal-VPN no-proxy-arp
object network obj-172.31.0.0
subnet 172.31.0.0 255.255.255.0
object network Personal-VPN
subnet 172.31.1.0 255.255.255.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network LD-App01
host 172.31.0.13
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 object Personal-VPN
access-list Personal-VPN-ACL standard permit 172.31.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object LD-App01 eq https
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
Here is the packet trace
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.31.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object LD-App01 eq https
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LD-App01
nat (inside,outside) static interface service tcp https https
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Please Help...
Thanks,
Lee
Solved! Go to Solution.
02-19-2012 01:48 PM
Hello Lee,
The configuaration looks good to me, I would make the following:
object network outside_interface_ip
host x.x.x.x.x
object service https
service tcp source eq 443
object network LD-App01
no nat (inside,outside) static interface service tcp https https
nat (inside,outside) 1 source static LD-App01 outside_interface_ip service https https
Give it a try and let me know regards,
Julio
Do rate helpful posts!
02-19-2012 01:48 PM
Hello Lee,
The configuaration looks good to me, I would make the following:
object network outside_interface_ip
host x.x.x.x.x
object service https
service tcp source eq 443
object network LD-App01
no nat (inside,outside) static interface service tcp https https
nat (inside,outside) 1 source static LD-App01 outside_interface_ip service https https
Give it a try and let me know regards,
Julio
Do rate helpful posts!
02-19-2012 02:09 PM
Tried your recomendation but ran into a error.
I created the object outside_int_ip with the outside ip.
Then tried to create the nat as you have listed but got the following error.
nat (inside,outside)1 source static LD-App01 outside_int_ip service https https
^
ERROR: % Invalid input detected at '^' marker.
LD-FW01(config-network-object)# nat (inside,outside) 1 source static LD-App01 $
ERROR: Address 75.188.84.144 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
Thanks,
Lee
02-19-2012 02:18 PM
Hello Lee,
It should not have failed!
You placed the object right, not the Ip?
Regards,
02-19-2012 02:25 PM
Here is the current object list and the nat command with the failure message. I'm also running the current 8.4(3)
LD-FW01# show run ob
object network obj-172.31.0.0
subnet 172.31.0.0 255.255.255.0
object network Personal-VPN
subnet 172.31.1.0 255.255.255.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network LD-App01
host 172.31.0.13
description Spiceworks
object service https
service tcp source eq https
object network outside_int_ip
host 76.188.84.144
LD-FW01# con t
LD-FW01(config)# object network LD-App01
LD-FW01(config-network-object)# nat (inside,outside) 1 source static LD-App01 $
ERROR: Address 75.188.84.144 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
02-19-2012 02:28 PM
Hello,
You need to do it outside the object network that is the problem!
So just by being on config te add the nat command I gave you
02-19-2012 02:36 PM
still getting the same error.
LD-FW01(config)# nat (inside,outside) 1 source static LD-App01 outside_int_ip $
ERROR: Address 75.188.84.144 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
02-20-2012 05:54 AM
For Julio and anyone else who may read this. The origional config I posted worked just fine though for some reason the NAT in the packet trace still shows as being dropped. The actual issue is that the server I was Natting to closed the 443 (https) port for some reason. As soon as I fixed the port issue on the server, I was able to NAT correctly through the ASA.
Thanks,
Lee
02-20-2012 09:24 AM
Hello Lee,
Glad to hear everything is working now.
Just in case the one option I gave you should be like this
nat (inside,outside) 1 source static LD-App01 interface service https https
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide