topic Re: ASA 9.8(1) issue with NAT Rules in Network Security

ASA 9.8(1) issue with NAT Rules

tlebouef — Fri, 21 Feb 2020 15:20:47 GMT

object network GUEST-INTERNET

subnet 10.205.64.0 255.255.252.0

object network GUEST-INTERNET

nat (extranet,outside) dynamic xxx.xx.199.135

Auto NAT Policies (Section 2)

2 (extranet) to (outside) source dynamic GUEST-INTERNET xxx.xx.199.135

translate_hits = 3536082, untranslate_hits = 32663

Source - Origin: 10.205.64.0/22, Translated: xxx.xx.199.135/32

3 (extranet) to (inside) source dynamic VPN_USER_POOL interface

translate_hits = 3369448, untranslate_hits = 283060

Source - Origin: 10.254.32.0/22, Translated: 10.254.28.113/28

4 (extranet) to (outside) source dynamic EXTRANET_ANY interface

translate_hits = 33130812, untranslate_hits = 62286

Source - Origin: 0.0.0.0/0, Translated: xxx.xx.199.140/28

But users are still reporting to be using the xxx.xx.199.140 address when validating via whatismyip ?

There must be a way to Exclude and Include ?

Re: ASA 9.8(1) issue with NAT Rules

Francesco Molino — Wed, 14 Feb 2018 02:48:34 GMT

Users complaining are in which subnet?

Can you share please the output of the following command:

packet-tracer in extranet tcp 10.205.64.10 8 0 8.8.8.8

Re: ASA 9.8(1) issue with NAT Rules

tlebouef — Tue, 20 Feb 2018 22:36:30 GMT

The users on the 10.205.64.0/24 subnet.

We migrated to another firewall and it worked after we did.

So something was stuck on the firewall from making it work and I didn't have a compelling reason at the time to pull out all the nats and put them all back in.

I did do a clear xlate several times while testing.

Packets were getting to the firewall just not out to the outside world.

Thanks