TwiceNat and Static NAT overlaping

Igor Mordiuk · ‎07-23-2013

Hi.

I have a mail_server = 192.168.0.1 in my dmz which is available from inet by smtp protocol.

inet = 9.9.9.9

object network nat__smtpServer

host 192.168.0.1

nat (dmz,inet) static interface service tcp smtp smtp

In this way every source from inet (including 1.1.1.1) can initiate connection to our mail_server.

If we add twice nat:

nat (inside,inet) source dynamic monitor_Admin2 interface destination static Servers_L Servers_L

object-group network monitor_Admin2

network-object host 172.1.1.37

object-group network Servers_L

network-object host 1.1.1.1

in this way every source from inet (EXCEPT 1.1.1.1) can initiate connection to our mail_server.

%ASA-7-710005: TCP request discarded from 10.1.1.1/54616 to inet:9.9.9.9/25

packet-tracer input inet tcp 10.1.1.1 5346 9.9.9.9 25

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 9.9.9.9 255.255.255.255 identity

Phase: 2

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inet

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas ?

Luis Silva Benavides · ‎07-23-2013

Hi,

What you are telling to the twice NAT is that when 172.1.1.37 (located on the inside) wants to reach 1.1.1.1

nat (inside,inet) source dynamic monitor_Admin2 interface destination static Servers_L Servers_L

Other point is that a packet tracer with the interface IP address will fail since it is an NPI connection.

If what you want is to

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

Igor Mordiuk · ‎07-24-2013

Thanks.

I solved the issue by placing nat (inside,inet) source dynamic monitor_Admin2 interface destination static Servers_L Servers_L
to the 3rd section:

nat (inside,inet) after-auto 3 source dynamic monitor_Admin2 interface destination static Servers_L Servers_L

packet-tracer input inet tcp 10.1.1.1 5346 9.9.9.9 25

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2bccd960, priority=13, domain=capture, deny=false

hits=26865, user_data=0x7fff2b6cf890, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2a3d1ea0, priority=1, domain=permit, deny=false

hits=818, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,inet) after-auto source dynamic monitor_Admin2 interface destination static Servers_L Servers_L

Additional Information:

NAT divert to egress interface Ine-FCS

Untranslate 1.1.1.1/22 to 1.1.1.1/22

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_in in interface inside

access-list inside_in extended permit tcp object-group monitor_Admin2 object-group Servers_L eq ssh

object-group network monitor_Admin2

group-object monitor_Admin1

network-object host 172.1.1.37

group-object OurServers_Dev&Test

object-group network Servers_L

network-object host 1.1.1.1

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2bfaa2b0, priority=13, domain=permit, deny=false

hits=1, user_data=0x7fff234a7a00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=172.1.1.37, mask=255.255.255.255, port=0, tag=0

dst ip/id=1.1.1.1, mask=255.255.255.255, port=22, tag=0 dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,Ine-FCS) after-auto source dynamic monitor_Admin2 interface destination static Servers_L Servers_L

Additional Information:

Dynamic translate 172.1.1.37/344 to 9.9.9.9/344

Forward Flow based lookup yields rule:

in id=0x7fff2b3fced0, priority=6, domain=nat, deny=false

hits=1, user_data=0x7fff2a56be30, cs_id=0x0, flags=0x0, protocol=0

src ip/id=172.1.1.37, mask=255.255.255.255, port=0, tag=0

dst ip/id=1.1.1.1, mask=255.255.255.255, port=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=inet

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff29f83190, priority=1, domain=nat-per-session, deny=true

hits=2357435, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=any, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2a3dae70, priority=0, domain=inspect-ip-options, deny=true

hits=1002, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,inet) after-auto source dynamic monitor_Admin2 interface destination static Servers_L Servers_L

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fff2b5cfb30, priority=6, domain=nat-reverse, deny=false

hits=2, user_data=0x7fff2c6f1cc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=172.1.1.37, mask=255.255.255.255, port=0, tag=0

dst ip/id=1.1.1.1, mask=255.255.255.255, port=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=inet

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fff29f83190, priority=1, domain=nat-per-session, deny=true

hits=2357437, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=any, output_ifc=any

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fff2a2d9790, priority=0, domain=inspect-ip-options, deny=true

hits=1037309, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=Ine-FCS, output_ifc=any

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1331991, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inet

output-status: up

output-line-status: up

Action: allow

Luis Silva Benavides · ‎07-24-2013

Great!

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva