cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
cancel
472
Visitas
0
ÚTIL
4
Respuestas

Help to Configure NAT on ASA5505

enrique.jara
Level 1
Level 1

Hi, i'm trying to configure nat, but does not work, can some one help me please. I attach a file with the configuration..

 

regards!

4 RESPUESTAS 4

Jorge Garcia
Cisco Employee
Cisco Employee

Que tal Enrique,

Espero que todo vaya excelente! Puedo ver que ya tienes algunos NATs configurados en tu ASA5505, ¿Podrías dar un poco más de información acerca de tu problema?

 

[1] ¿Cuál es el NAT que no esta funcionando correctamente?

 

[2] ¿Cuál sería el propósito de este nuevo NAT?

 

[3] ¿Podrías enviarme un output después de ejecutar el siguiente comando?

 

asa# packet-tracer input [src_int] protocol src_addr src_port dest_addr  dest_port detailed

 

De antemano muchas gracias por la información,

Que tengas un excelente dia,

Saludos cordiales,

 

Osvaldo Garcia

Hola Osvaldo,

El nat que hay configurado no funciona, hasta ahora no había nat configurado, y lo que yo hice fue añadir las reglas que hay en la configuración que adjunté.

Aquí te adjunto lo que me pedías a ver si nos sirve de algo

#  packet-tracer input outside tcp 80.224.32.102 http 172.26.0.249 http ?                       

  detailed  Dump more detailed information
  xml       Output in xml format
  <cr>
ASALapunte# $ tcp 80.224.32.102 http 172.26.0.249 http de
ASALapunte# packet-tracer input outside tcp 80.224.32.102 http 172.26.0.249 ht$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb40fc00, priority=1, domain=permit, deny=false
        hits=7681034, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.26.0.0      255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log  
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcbfcab68, priority=13, domain=permit, deny=false
        hits=0, user_data=0xc95710c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb413af8, priority=0, domain=inspect-ip-options, deny=true
        hits=156073, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb329d40, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=15127, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb3e85c0, priority=0, domain=host-limit, deny=false
        hits=544, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcb4792f8, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xcb478918, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Muchas gracias

Checking the packet tracer shows that the traffic is sourced from 80.224.32.102 to destination on port 80 172.26.0.249 but should with the  public interface ip 10.0.0.2.

If the intended static to match is the following:

object network pUERTO_80
 nat (inside,outside) static interface service tcp www www 

  Could you do the change suggested and run the packet tracer:

packet-tracer input outside tcp 80.224.32.102 80 10.0.1.2 80.

 

And remember the private network  is not available from the outside, so the http connection must be using the public ip or natted ip in this case for the interface.

Laura Zamora
Level 1
Level 1

Hello Enrique,

 

I see your packet tracer is not matching the correct rule for http traffic and is matching the following rule:

 

nat (inside,outside) source dynamic any interface

 Can you move this line to the bottom:

nat (inside,outside) after-auto source dynamic any interface.

 

Remember this will be like an access list so basically if this rule is first than the one you need for the port it will include any traffic from inside to outside in all ports.

 

Regards,

Lauzamor

 

Vamos a comenzar

¡Conecte con otros expertos de Cisco y del mundo! Encuentre soluciones a sus problemas técnicos o comerciales, y aprenda compartiendo experiencias.

Queremos que su experiencia sea grata, le compartimos algunos links que le ayudarán a familiarizarse con la Comunidad de Cisco: