https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967421#M1106321 <P>I don't have access to exact switches and firewalls but what I did was to replicate the same scenario in my EVE-NG lab and I noticed I have the same issue here so I must be doing something stupid.<BR /><BR /><STRONG>Configurations</STRONG>:<BR />!<BR />interface GigabitEthernet0/1<BR />nameif outside<BR />security-level 0<BR />ip address 10.1.15.82 255.255.255.0<BR />!<BR />interface GigabitEthernet0/2<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.0.203 255.255.255.0<BR />!<BR />object network AIMS<BR />host 192.168.0.88<BR />object network SWITCH<BR />host 192.168.0.201<BR />!<BR />object network AIMS<BR />nat (inside,outside) static 10.1.15.81<BR />object network SWITCH<BR />nat (inside,outside) static 10.1.15.83<BR />!<BR />access-list PASS extended permit ip any any<BR />access-group PASS in interface outside<BR />access-group PASS out interface outside<BR />!<BR /><BR />------------------------------------------</P><P><STRONG>Verifications</STRONG>:<BR />From PC:<BR /><BR />ciscoasa# show xlate<BR />2 in use, 2 most used<BR />Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,<BR />s - static, T - twice, N - net-to-net<BR />NAT from inside:192.168.0.88 to outside:10.1.15.81<BR />flags s idle 0:00:51 timeout 0:00:00<BR />NAT from inside:192.168.0.201 to outside:10.1.15.83<BR />flags s idle 0:06:20 timeout 0:00:00<BR /><BR /></P><P>ciscoasa# show nat</P><P>Auto NAT Policies (Section 2)<BR />1 (inside) to (outside) source static AIMS 10.1.15.81<BR />translate_hits = 0, untranslate_hits = 16<BR />2 (inside) to (outside) source static SWITCH 10.1.15.83<BR />translate_hits = 1, untranslate_hits = 5<BR /><BR /><BR />ciscoasa# show access-list<BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<BR />alert-interval 300<BR />access-list PASS; 1 elements; name hash: 0x69403060<BR />access-list PASS line 1 extended permit ip any any (hitcnt=22) 0x7e6cca6f&nbsp;<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Nov 2023 12:54:13 GMT Atif Masood 2023-11-28T12:54:13Z https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967286#M1106305 <P>I am trying to use Static NAT to NAT my internal sever accessible from outside interface.<BR />I am able to NAT the switch connected directly to ASA Firewall however it doesn’t work for device hanging off from that switch.<BR />Am I doing something wrong?</P><P>I have drawn my topology here and also the ASA software version is 9.12</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Firewall NAT Issue.png" style="width: 693px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/203547i1306E405A4B254F9/image-size/large?v=v2&amp;px=999" role="button" title="Firewall NAT Issue.png" alt="Firewall NAT Issue.png" /></span></P> Tue, 28 Nov 2023 08:52:59 GMT https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967286#M1106305 Atif Masood 2023-11-28T08:52:59Z https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967341#M1106311 <P>Did you config acl to allow ping from outside to inside?</P> Tue, 28 Nov 2023 10:21:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967341#M1106311 MHM Cisco World 2023-11-28T10:21:50Z https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967349#M1106312 <P>yes I applied access list to permit all traffic.<BR />The other NAT entry for the directly connected switch to Firewall is working without any issues.<BR /><BR />access-list PASS extended permit ip&nbsp;any&nbsp;any<BR />access-group PASS in interface outside<BR />access-group PASS out interface outside</P> Tue, 28 Nov 2023 10:33:49 GMT https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967349#M1106312 Atif Masood 2023-11-28T10:33:49Z https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967352#M1106313 <P>From asa&nbsp;</P> <P>Show nat&nbsp;</P> <P>I need to see translate and untranslate count.</P> <P>MHM</P> Tue, 28 Nov 2023 10:42:12 GMT https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967352#M1106313 MHM Cisco World 2023-11-28T10:42:12Z https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967421#M1106321 <P>I don't have access to exact switches and firewalls but what I did was to replicate the same scenario in my EVE-NG lab and I noticed I have the same issue here so I must be doing something stupid.<BR /><BR /><STRONG>Configurations</STRONG>:<BR />!<BR />interface GigabitEthernet0/1<BR />nameif outside<BR />security-level 0<BR />ip address 10.1.15.82 255.255.255.0<BR />!<BR />interface GigabitEthernet0/2<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.0.203 255.255.255.0<BR />!<BR />object network AIMS<BR />host 192.168.0.88<BR />object network SWITCH<BR />host 192.168.0.201<BR />!<BR />object network AIMS<BR />nat (inside,outside) static 10.1.15.81<BR />object network SWITCH<BR />nat (inside,outside) static 10.1.15.83<BR />!<BR />access-list PASS extended permit ip any any<BR />access-group PASS in interface outside<BR />access-group PASS out interface outside<BR />!<BR /><BR />------------------------------------------</P><P><STRONG>Verifications</STRONG>:<BR />From PC:<BR /><BR />ciscoasa# show xlate<BR />2 in use, 2 most used<BR />Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,<BR />s - static, T - twice, N - net-to-net<BR />NAT from inside:192.168.0.88 to outside:10.1.15.81<BR />flags s idle 0:00:51 timeout 0:00:00<BR />NAT from inside:192.168.0.201 to outside:10.1.15.83<BR />flags s idle 0:06:20 timeout 0:00:00<BR /><BR /></P><P>ciscoasa# show nat</P><P>Auto NAT Policies (Section 2)<BR />1 (inside) to (outside) source static AIMS 10.1.15.81<BR />translate_hits = 0, untranslate_hits = 16<BR />2 (inside) to (outside) source static SWITCH 10.1.15.83<BR />translate_hits = 1, untranslate_hits = 5<BR /><BR /><BR />ciscoasa# show access-list<BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<BR />alert-interval 300<BR />access-list PASS; 1 elements; name hash: 0x69403060<BR />access-list PASS line 1 extended permit ip any any (hitcnt=22) 0x7e6cca6f&nbsp;<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Nov 2023 12:54:13 GMT https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967421#M1106321 Atif Masood 2023-11-28T12:54:13Z https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967483#M1106324 <P>Ok' the server use fw as gw or svi of vlan in sw?</P> <P>The server must use fw as gw.</P> <P>MHM</P> Tue, 28 Nov 2023 14:03:10 GMT https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967483#M1106324 MHM Cisco World 2023-11-28T14:03:10Z https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967891#M1106344 <P>Yes, that was the issue - Its fixed after I changed GW to FW <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />Thanks for your help.</P> Wed, 29 Nov 2023 03:16:54 GMT https://community.cisco.com/t5/network-security/cisco-asa-static-nat-issue-with-server-not-connected-directly-to/m-p/4967891#M1106344 Atif Masood 2023-11-29T03:16:54Z