Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
0
Helpful
2
Replies

static nat issue

Thang Le
Level 1
Level 1

‎11-15-2013 04:27 AM - edited ‎03-10-2019 12:08 AM

Hi guys,

Would you mind to help me figure out this nat issue please?

I want to forward smtp port of inside host 192.168.1.22 to outside however it doesnt work. Also packet-tracer indicates that NAT drop it

Please help me guys!!!

Thank you so much!

This is config:

ASA Version 8.4(5)

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1.4 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 103.134.166.238 255.255.255.248

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service OBJ-TCP-smtp

service tcp source eq smtp

object service TCP_SMTP

service tcp source eq smtp

object network WAN_IP_OBJECT_103.134.166.238

host 103.134.166.238

object network SERVER_OBJECT_192.168.1.22

host 192.168.1.22

access-list outside_access_in extended permit tcp any any eq smtp

access-list inside_access_in extended permit ip any any

object network obj_any

nat (inside,outside) dynamic interface

object network SERVER_OBJECT_192.168.1.22

nat (inside,outside) static interface service tcp smtp smtp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 103.134.166.233 1

PT:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network SERVER_OBJECT_192.168.1.22

nat (inside,outside) static interface service tcp smtp smtp

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac831e20, priority=6, domain=nat-reverse, deny=false

        hits=154, user_data=0xac7f5748, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=192.168.1.22, mask=255.255.255.255, port=25, dscp=0x0

        input_ifc=outside, output_ifc=inside

Show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static SERVER_OBJECT_192.168.1.22 interface   service tcp smtp smtp

    translate_hits = 0, untranslate_hits = 152

2 (inside) to (outside) source dynamic obj_any interface

    translate_hits = 4351, untranslate_hits = 565

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎11-15-2013 04:43 AM

Hi,

Configuration seems fine to me.

I would guess that in the "packet-tracer" command you have used the real address 192.168.1.22 as the destination rather than the public IP address on your ASA "outside" interface since that is the address to which the connections are destined.

Looking at the above configuration it seems you should issue this command

packet-tracer input outside tcp 1.1.1.1 12345 103.134.166.238 25

- Jouni

0 Helpful

Thang Le
Level 1
Level 1
In response to Jouni Forss

‎11-15-2013 07:28 AM

Oh I've found it

The culprit is not the firewall but the ISP Optus @@. It has filtered my SMTP packets, don't know why

Thank Jouni so much for the packet-tracer !

0 Helpful
Customers Also Viewed These Support Documents