https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184894#M1066114 Here it shows that nat is working. Your traffic is natted on ip 10.8.60.4 that should correspond to your outside interface. <BR /><BR />What's behind asa? Because this is a private ip and not a public IP. <BR />Did you checked on that device what's going on? <BR /> Fri, 15 Sep 2017 21:48:55 GMT Francesco Molino 2017-09-15T21:48:55Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184400#M1066109 <P>Hi,</P><P>&nbsp;</P><P>It's been a few days that I'm trying to figure this out and I didn't find why my NAT is not working. ( ICMP Packets dropped by NAT rule, no internet connection even though the firewall is WIDE OPEN).</P><P>&nbsp;</P><P>I try to get a dynamic NAT with the outside Vlan being on eth0/0 assigned by DHCP on an other vlan network</P><P>my inside Vlan is&nbsp; 10.200.0.0/16, any eth &gt; eth0/0</P><P>&nbsp;</P><P>I'm fairly new in configuring NAT so I might have forgot something obvious.</P><P>&nbsp;</P><P>Here is the config:</P><P>ASA Version 8.2(5)<BR />!<BR />hostname Firewall1<BR />enable password n8g4OAMVUv3ysq.k encrypted<BR />passwd 2KFQnbNIdI.2KYOU encrypted<BR />names<BR />name 10.200.0.0 inside<BR />!<BR />interface Ethernet0/0<BR />&nbsp;switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR />!<BR />interface Ethernet0/2<BR />!<BR />interface Ethernet0/3<BR />!<BR />interface Ethernet0/4<BR />!<BR />interface Ethernet0/5<BR />!<BR />interface Ethernet0/6<BR />!<BR />interface Ethernet0/7<BR />!<BR />interface Vlan1<BR />&nbsp;nameif inside<BR />&nbsp;security-level 100<BR />&nbsp;ip address 10.200.2.2 255.255.255.0<BR />!<BR />interface Vlan2<BR />&nbsp;nameif outside<BR />&nbsp;security-level 100<BR />&nbsp;ip address dhcp setroute<BR />!<BR />ftp mode passive<BR />same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />object-group protocol TCPUDP<BR />&nbsp;protocol-object udp<BR />&nbsp;protocol-object tcp<BR />access-list insideVlan_access_in extended permit ip any any<BR />access-list outside_access_in extended permit ip any any<BR />access-list aclIn extended permit ip any any<BR />access-list insideVlan_access_out extended permit ip any any<BR />access-list outside_access_out extended permit ip any any<BR />access-list inside_nat_outbound extended permit ip inside 255.255.0.0 any<BR />pager lines 24<BR />mtu inside 1500<BR />mtu outside 1500<BR />ipv6 access-list insideVlan_access_ipv6_in permit ip any any<BR />ipv6 access-list outside_access_ipv6_in permit ip any any<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />global (outside) 1 interface<BR />nat (inside) 1 access-list inside_nat_outbound<BR />nat (inside) 1 inside 255.255.0.0<BR />access-group insideVlan_access_in in interface inside<BR />access-group insideVlan_access_out out interface inside<BR />access-group insideVlan_access_ipv6_in in interface inside<BR />access-group outside_access_in in interface outside<BR />access-group outside_access_out out interface outside<BR />access-group outside_access_ipv6_in in interface outside</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks for your help!</P> Fri, 21 Feb 2020 14:18:26 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184400#M1066109 Iridescence 2020-02-21T14:18:26Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184438#M1066110 Hi<BR /><BR />If you want to nat your inside network to outside for getting internet access, you'll need to change your nat config like:<BR /><BR />no nat (inside) 1 inside 255.255.0.0<BR />no nat (inside) 1 access-list inside_nat_outbound<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /><BR /> Fri, 15 Sep 2017 00:20:09 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184438#M1066110 Francesco Molino 2017-09-15T00:20:09Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184644#M1066111 <P>Hi, thank you for your answer.</P><P>Unfortunately these change don't solve the issue, I still have the packets dropped by the nat rule when I try an ICMP packet in the ASDM interface. And I still have no internet connection.</P><P>&nbsp;</P><P>I don't really understand why I should use an 'any' source in my NAT rule as I know that any source will be on my subnet 10.200.0.0/16</P> Fri, 15 Sep 2017 12:28:14 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184644#M1066111 Iridescence 2017-09-15T12:28:14Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184691#M1066112 You don't need to use any.<BR />you can also use: nat (inside) 1 10.200.0.0 255.255.0.0<BR /><BR />Can you run the packet-tracer command below and paste the output in a text file:<BR />packet-tracer input inside icmp 10.200.10.1 8 0 8.8.8.8<BR /><BR /><BR /> Fri, 15 Sep 2017 13:54:40 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184691#M1066112 Francesco Molino 2017-09-15T13:54:40Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184872#M1066113 Here is the output:<BR /><BR />Firewall1# packet-tracer input inside icmp 10.200.10.1 8 0 8.8.8.8<BR /><BR />Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list<BR /><BR />Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 outside<BR /><BR />Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group insideVlan_access_in in interface inside<BR />access-list insideVlan_access_in extended permit ip any any<BR />Additional Information:<BR /><BR />Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 5<BR />Type: INSPECT<BR />Subtype: np-inspect<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 6<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (inside) 1 inside 255.255.0.0<BR />match ip inside inside 255.255.0.0 outside any<BR />dynamic translation to pool 1 (10.8.60.4 [Interface PAT])<BR />translate_hits = 1, untranslate_hits = 0<BR />Additional Information:<BR />Dynamic translate 10.200.10.1/0 to 10.8.60.4/61870 using netmask 255.255.255.255<BR /><BR />Phase: 7<BR />Type: NAT<BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />nat (inside) 1 inside 255.255.0.0<BR />match ip inside inside 255.255.0.0 inside any<BR />dynamic translation to pool 1 (No matching global)<BR />translate_hits = 0, untranslate_hits = 0<BR />Additional Information:<BR /><BR />Phase: 8<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group outside_access_out out interface outside<BR />access-list outside_access_out extended permit ip any any<BR />Additional Information:<BR /><BR />Phase: 9<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 447, packet dispatched to next module<BR /><BR />Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow<BR /> Fri, 15 Sep 2017 20:36:52 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184872#M1066113 Iridescence 2017-09-15T20:36:52Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184894#M1066114 Here it shows that nat is working. Your traffic is natted on ip 10.8.60.4 that should correspond to your outside interface. <BR /><BR />What's behind asa? Because this is a private ip and not a public IP. <BR />Did you checked on that device what's going on? <BR /> Fri, 15 Sep 2017 21:48:55 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184894#M1066114 Francesco Molino 2017-09-15T21:48:55Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184900#M1066115 <P>Unfortunately I don't know. I'm not in charge of this network. But I have been told that it is all set up and ready for connecting my network through NAT with the asa. I only know that the gateway is 10.8.60.1 , and that I get an ip by dhcp</P> Fri, 15 Sep 2017 22:56:20 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184900#M1066115 Iridescence 2017-09-15T22:56:20Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184907#M1066116 Ok try to ping the gateway with an internal host. <BR />If that works, this is not an asa issue.<BR /> Fri, 15 Sep 2017 23:30:30 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3184907#M1066116 Francesco Molino 2017-09-15T23:30:30Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3185009#M1066117 <P>General failure when I tried to ping the gateway.</P><P>Pinging a machine inside my network works though</P> Sat, 16 Sep 2017 13:16:41 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3185009#M1066117 Iridescence 2017-09-16T13:16:41Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3185058#M1066118 can you share a show route output from asa?<BR /><BR />Can you ping your outside gateway from asa doing ping outside command?<BR /> Sat, 16 Sep 2017 19:39:05 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3185058#M1066118 Francesco Molino 2017-09-16T19:39:05Z https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3186279#M1066119 <P><BR />Firewall1# show route<BR /><BR />Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * - candidate default, U - per-user static route, o - ODR<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; P - periodic downloaded static route<BR /><BR />Gateway of last resort is 10.8.60.1 to network 0.0.0.0<BR /><BR />C&nbsp;&nbsp;&nbsp; 10.8.60.0 255.255.254.0 is directly connected, outside<BR />C&nbsp;&nbsp;&nbsp; 10.200.2.0 255.255.255.0 is directly connected, inside<BR />d*&nbsp;&nbsp; 0.0.0.0 0.0.0.0 [1/0] via 10.8.60.1, outside</P><P>&nbsp;</P><P>&nbsp;</P><P>and the ping</P><P>&nbsp;</P><P>Firewall1# ping 10.8.60.1<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 10.8.60.1, timeout is 2 seconds:<BR />!!!!!<BR />Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms</P> Tue, 19 Sep 2017 19:52:12 GMT https://community.cisco.com/t5/network-security/dynamic-nat-issues-asa-8-2/m-p/3186279#M1066119 Iridescence 2017-09-19T19:52:12Z