11-15-2013 04:27 AM - edited 03-10-2019 12:08 AM
Hi guys,
Would you mind to help me figure out this nat issue please?
I want to forward smtp port of inside host 192.168.1.22 to outside however it doesnt work. Also packet-tracer indicates that NAT drop it
Please help me guys!!!
Thank you so much!
This is config:
ASA Version 8.4(5)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.4 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 103.134.166.238 255.255.255.248
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service OBJ-TCP-smtp
service tcp source eq smtp
object service TCP_SMTP
service tcp source eq smtp
object network WAN_IP_OBJECT_103.134.166.238
host 103.134.166.238
object network SERVER_OBJECT_192.168.1.22
host 192.168.1.22
access-list outside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit ip any any
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER_OBJECT_192.168.1.22
nat (inside,outside) static interface service tcp smtp smtp
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 103.134.166.233 1
PT:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network SERVER_OBJECT_192.168.1.22
nat (inside,outside) static interface service tcp smtp smtp
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac831e20, priority=6, domain=nat-reverse, deny=false
hits=154, user_data=0xac7f5748, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.1.22, mask=255.255.255.255, port=25, dscp=0x0
input_ifc=outside, output_ifc=inside
Show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static SERVER_OBJECT_192.168.1.22 interface service tcp smtp smtp
translate_hits = 0, untranslate_hits = 152
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 4351, untranslate_hits = 565
11-15-2013 04:43 AM
Hi,
Configuration seems fine to me.
I would guess that in the "packet-tracer" command you have used the real address 192.168.1.22 as the destination rather than the public IP address on your ASA "outside" interface since that is the address to which the connections are destined.
Looking at the above configuration it seems you should issue this command
packet-tracer input outside tcp 1.1.1.1 12345 103.134.166.238 25
- Jouni
11-15-2013 07:28 AM
Oh I've found it
The culprit is not the firewall but the ISP Optus @@. It has filtered my SMTP packets, don't know why
Thank Jouni so much for the packet-tracer !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide