07-01-2014 07:48 AM - editado 03-21-2019 06:16 PM
Hi, i'm trying to configure nat, but does not work, can some one help me please. I attach a file with the configuration..
regards!
el 07-02-2014 01:38 PM
Que tal Enrique,
Espero que todo vaya excelente! Puedo ver que ya tienes algunos NATs configurados en tu ASA5505, ¿Podrías dar un poco más de información acerca de tu problema?
[1] ¿Cuál es el NAT que no esta funcionando correctamente?
[2] ¿Cuál sería el propósito de este nuevo NAT?
[3] ¿Podrías enviarme un output después de ejecutar el siguiente comando?
asa# packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port detailed
De antemano muchas gracias por la información,
Que tengas un excelente dia,
Saludos cordiales,
Osvaldo Garcia
el 07-03-2014 11:38 PM
Hola Osvaldo,
El nat que hay configurado no funciona, hasta ahora no había nat configurado, y lo que yo hice fue añadir las reglas que hay en la configuración que adjunté.
Aquí te adjunto lo que me pedías a ver si nos sirve de algo
# packet-tracer input outside tcp 80.224.32.102 http 172.26.0.249 http ?
detailed Dump more detailed information
xml Output in xml format
<cr>
ASALapunte# $ tcp 80.224.32.102 http 172.26.0.249 http de
ASALapunte# packet-tracer input outside tcp 80.224.32.102 http 172.26.0.249 ht$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb40fc00, priority=1, domain=permit, deny=false
hits=7681034, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.26.0.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbfcab68, priority=13, domain=permit, deny=false
hits=0, user_data=0xc95710c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb413af8, priority=0, domain=inspect-ip-options, deny=true
hits=156073, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb329d40, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=15127, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3e85c0, priority=0, domain=host-limit, deny=false
hits=544, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb4792f8, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xcb478918, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Muchas gracias
el 07-04-2014 12:55 PM
Checking the packet tracer shows that the traffic is sourced from 80.224.32.102 to destination on port 80 172.26.0.249 but should with the public interface ip 10.0.0.2.
If the intended static to match is the following:
object network pUERTO_80 nat (inside,outside) static interface service tcp www www
Could you do the change suggested and run the packet tracer:
packet-tracer input outside tcp 80.224.32.102 80 10.0.1.2 80.
And remember the private network is not available from the outside, so the http connection must be using the public ip or natted ip in this case for the interface.
el 07-04-2014 12:44 PM
Hello Enrique,
I see your packet tracer is not matching the correct rule for http traffic and is matching the following rule:
nat (inside,outside) source dynamic any interface
Can you move this line to the bottom:
nat (inside,outside) after-auto source dynamic any interface.
Remember this will be like an access list so basically if this rule is first than the one you need for the port it will include any traffic from inside to outside in all ports.
Regards,
Lauzamor
¡Conecte con otros expertos de Cisco y del mundo! Encuentre soluciones a sus problemas técnicos o comerciales, y aprenda compartiendo experiencias.
Queremos que su experiencia sea grata, le compartimos algunos links que le ayudarán a familiarizarse con la Comunidad de Cisco:
Navegue y encuentre contenido personalizado de la comunidad