smartchecker (smartchecker) wrote in cisco_ru,
smartchecker
smartchecker
cisco_ru

ASA 5512-X ver 9.1 PAT + Port forwarding. Туплю.

Схема простая

i-net -> asa -> c3560 (за ним несколько сетей).

PAT из внутренних сетей наружу работает.
Хочу пробросить порт tcp/2222 с внешнего интерфейса ASA на внутренний хост на tcp/22.

Вроде всё должно работать, но не работает.


Объекты
object-group network networks-to-PAT
 network-object object sandbox-network
 network-object object m-old-network
object network m-old-network
 subnet 172.30.0.0 255.255.0.0
object network sandbox-network
 subnet 172.31.10.0 255.255.255.0
object network ssh-to-sandboxSrv
 host 172.31.5.10

object network ssh-to-sandboxSrv
 nat (inside,obit) static interface service tcp ssh 2222 
!
nat (inside,obit) after-auto source dynamic networks-to-PAT interface

Выхлоп с packet-tracer'а
asa# packet-tracer input obit tcp 178.130.xx.21 11111 79.134.yy.164 2222 $

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ssh-to-sandboxSrv
 nat (inside,obit) static interface service tcp ssh 2222 
Additional Information:
NAT divert to egress interface inside
Untranslate 79.134.yy.164/2222 to 172.31.5.10/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group obit_access_in in interface obit
access-list obit_access_in extended permit tcp any object ssh-to-sandboxSrv eq ssh 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9e624ab0, priority=13, domain=permit, deny=false
        hits=27, user_data=0x7fff9b4d4b00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=172.31.5.10, mask=255.255.255.255, port=22, tag=0 dscp=0x0
        input_ifc=obit, output_ifc=any

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,obit) after-auto source dynamic networks-to-PAT interface
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9eccb2e0, priority=6, domain=nat, deny=false
        hits=92, user_data=0x7fff9ecc63c0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=79.134.yy.164, mask=255.255.255.255, port=0, tag=0 dscp=0x0
        input_ifc=obit, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9e864a60, priority=0, domain=nat-per-session, deny=false
        hits=5436, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9f1e1290, priority=0, domain=inspect-ip-options, deny=true
        hits=776, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=obit, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network ssh-to-sandboxSrv
 nat (inside,obit) static interface service tcp ssh 2222 
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff997999f0, priority=6, domain=nat-reverse, deny=false
        hits=92, user_data=0x7fff9fb289f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=172.31.5.10, mask=255.255.255.255, port=22, tag=0 dscp=0x0
        input_ifc=obit, output_ifc=inside

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9e864a60, priority=0, domain=nat-per-session, deny=false
        hits=5438, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9f240930, priority=0, domain=inspect-ip-options, deny=true
        hits=987, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 5376, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: obit
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow


В логе вот так
6|Oct 13 2015 22:11:35|110003: Routing failed to locate next hop for TCP from obit:178.130.xx.21/48578 to inside:172.31.5.10/22

Смущает untranslate_hits
nth-asa# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (obit) source static ssh-to-sandboxSrv interface   service tcp ssh 2222 
    translate_hits = 0, untranslate_hits = 113

Manual NAT Policies (Section 3)
1 (inside) to (obit) source dynamic networks-to-PAT interface  
    translate_hits = 26, untranslate_hits = 1

Где косяк?
  • Post a new comment

    Error

    default userpic

    Your IP address will be recorded 

  • 0 comments