topic If not needed, could you in Network Security https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027948#M135972 <P>If not needed, could you please remove below NAT statements.</P> <P></P> <P><SPAN>nat (inside) 0 access-list inside1_nat0_outbound</SPAN><BR /><BR /><SPAN>nat (ASSR-TRSR) 0 access-list inside_nat0_outbound</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Once done, please try to initiate a packet-tracer and let me know how it goes.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>-AJ</SPAN></P> Wed, 03 May 2017 14:32:55 GMT Ajay Saini 2017-05-03T14:32:55Z Dynamic NAT/PAT problems https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027939#M135963 <P>We are having issues with communication between private networks using a Cisco ASA 5505. &nbsp;When we do a packet tracer we receive the following error.</P> <P>no nat (inside) 0 access-list inside_nat0_outbound<BR />no nat (ASSR-TRSR) 0 access-list inside1_nat0_outbound<BR />nat (inside) 0 access-list inside1_nat0_outbound<BR />nat (ASSR-TRSR) 0 access-list inside_nat0_outbound</P> <P>We are trying to allow communication between the ASSR-TRSR network (192.168.100.x) and the inside (192.168.0.1/23)&nbsp;</P> <P>Here is the config:</P> <P></P> <P>Result of the command: "sho run"</P> <P>: Saved<BR />:<BR />ASA Version 7.2(4) <BR />!<BR />hostname BlaineCountyASA<BR />domain-name default.domain.invalid<BR />names<BR />!<BR />interface Vlan1<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface Vlan2<BR /> nameif outside<BR /> security-level 0<BR /> ip address 64.250.198.160 255.255.255.0 <BR />!<BR />interface Vlan4<BR /> nameif inside<BR /> security-level 100<BR /> ip address 192.168.1.1 255.255.254.0 <BR />!<BR />interface Vlan6<BR /> nameif ASSR-TRSR<BR /> security-level 100<BR /> ip address 192.168.100.2 255.255.255.0 <BR />!<BR />interface Ethernet0/0<BR /> switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/2<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/3<BR /> switchport access vlan 6<BR />!<BR />interface Ethernet0/4<BR /> switchport access vlan 3<BR />!<BR />interface Ethernet0/5<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/6<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/7<BR /> switchport access vlan 4<BR />!<BR />ftp mode passive<BR />clock timezone CST -6<BR />clock summer-time CDT recurring<BR />dns server-group DefaultDNS<BR /> domain-name default.domain.invalid<BR />same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />object-group service PC_Anywhere tcp-udp<BR /> description PC Anywhere<BR /> port-object eq 5630<BR /> port-object eq 5631<BR />access-list 101 extended permit tcp host 64.250.192.5 any eq ssh <BR />access-list 101 extended permit tcp host 208.87.239.180 any eq ssh <BR />access-list 101 extended permit tcp host 65.255.81.200 any eq ssh inactive <BR />access-list 101 extended permit tcp host 65.255.81.202 any eq ssh inactive <BR />access-list 101 extended permit tcp any any eq www <BR />access-list 101 extended permit tcp any any eq 59002 <BR />access-list 101 extended permit udp any any eq 59002 <BR />access-list 101 extended permit ip any host 64.250.198.162 inactive <BR />access-list 101 extended permit tcp any any eq 3389 <BR />access-list 101 extended permit tcp any host 64.250.198.161 eq pcanywhere-data <BR />access-list 101 extended permit tcp 64.250.194.240 255.255.255.248 any eq telnet <BR />access-list 101 extended permit ip any any <BR />access-list 101 extended permit tcp host 64.250.192.5 any eq 8080 <BR />access-list 101 extended permit tcp host 64.250.192.5 any eq telnet <BR />access-list Pioneer_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 <BR />access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 192.168.1.180 255.255.255.252 <BR />access-list inside_nat0_outbound extended permit ip 10.250.50.0 255.255.255.0 10.250.50.200 255.255.255.248 <BR />access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.180 255.255.255.252 <BR />access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.176 255.255.255.240 <BR />access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.240 255.255.255.240 <BR />access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240 <BR />access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224 <BR />access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0 <BR />access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 <BR />access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 <BR />access-list BC-Management_splitTunnelAcl standard permit 10.250.50.0 255.255.255.0 <BR />access-list Pioneer_splitTunnelAcl_1 standard permit host 192.168.1.254 <BR />access-list Pioneer_splitTunnelAcl_2 standard permit host 192.168.1.254 <BR />access-list Pioneer1_splitTunnelAcl standard permit any <BR />access-list Pioneer1_splitTunnelAcl_1 standard permit any <BR />access-list ASSR-TRSR_access_in extended permit ip any any <BR />access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.254.0 <BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside 1500<BR />mtu ASSR-TRSR 1500<BR />ip local pool pioneer 192.168.1.200-192.168.1.210 mask 255.255.255.0<BR />no failover<BR />monitor-interface outside<BR />monitor-interface inside<BR />monitor-interface ASSR-TRSR<BR />icmp unreachable rate-limit 1 burst-size 1<BR />icmp permit any outside<BR />icmp permit any inside<BR />asdm image disk0:/asdm-524.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />global (outside) 1 interface<BR />nat (inside) 0 access-list inside1_nat0_outbound<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />nat (ASSR-TRSR) 0 access-list inside_nat0_outbound<BR />nat (ASSR-TRSR) 1 0.0.0.0 0.0.0.0<BR />static (inside,outside) tcp 64.250.198.161 ssh 192.168.1.254 ssh netmask 255.255.255.255 <BR />static (inside,outside) tcp interface ssh 192.168.100.1 ssh netmask 255.255.255.255 <BR />static (inside,outside) tcp interface 59002 192.168.1.15 59002 netmask 255.255.255.255 <BR />static (inside,outside) udp interface 59002 192.168.1.15 59002 netmask 255.255.255.255 <BR />static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255 <BR />static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255 <BR />static (inside,outside) tcp 64.250.198.161 pcanywhere-data 192.168.1.201 pcanywhere-data netmask 255.255.255.255 <BR />static (inside,outside) tcp interface 8080 192.168.1.254 8080 netmask 255.255.255.255 <BR />static (inside,outside) udp 64.250.198.161 pcanywhere-status 192.168.1.201 pcanywhere-status netmask 255.255.255.255 <BR />access-group 101 in interface outside<BR />access-group ASSR-TRSR_access_in in interface ASSR-TRSR<BR />route outside 0.0.0.0 0.0.0.0 64.250.198.1 1<BR />route inside 10.250.50.0 255.255.255.0 192.168.1.2 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />aaa authentication enable console LOCAL <BR />aaa authentication ssh console LOCAL <BR />aaa authentication http console LOCAL <BR />aaa authentication serial console LOCAL <BR />aaa authentication telnet console LOCAL <BR />aaa authorization command LOCAL <BR />http server enable 444<BR />http 0.0.0.0 0.0.0.0 outside<BR />http 0.0.0.0 0.0.0.0 inside<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart<BR />crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac <BR />crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <BR />crypto dynamic-map outside_dyn_map 20 set pfs <BR />crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5<BR />crypto dynamic-map outside_dyn_map 40 set pfs group1<BR />crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 60 set pfs group1<BR />crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 80 set pfs group1<BR />crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5<BR />crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA<BR />crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map<BR />crypto map outside_map interface outside<BR />crypto isakmp enable outside<BR />crypto isakmp policy 10<BR /> authentication pre-share<BR /> encryption 3des<BR /> hash sha<BR /> group 2<BR /> lifetime 86400<BR />telnet 64.250.192.0 255.255.255.0 outside<BR />telnet 0.0.0.0 0.0.0.0 inside<BR />telnet timeout 5<BR />ssh 64.250.194.240 255.255.255.248 outside<BR />ssh 65.255.81.200 255.255.255.255 outside<BR />ssh 65.255.81.202 255.255.255.255 outside<BR />ssh 64.250.192.0 255.255.255.0 outside<BR />ssh 208.87.239.180 255.255.255.255 outside<BR />ssh 0.0.0.0 0.0.0.0 inside<BR />ssh timeout 5<BR />ssh version 2<BR />console timeout 0<BR />dhcpd dns 64.250.192.64 64.250.192.65<BR />!<BR />dhcpd address 192.168.1.50-192.168.1.175 inside<BR />dhcpd enable inside<BR />!<BR />dhcpd address 192.168.100.75-192.168.100.99 ASSR-TRSR<BR />dhcpd enable ASSR-TRSR<BR />!</P> <P>group-policy Pioneer internal<BR />group-policy Pioneer attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value Pioneer_splitTunnelAcl_2<BR />group-policy Pioneer_1 internal<BR />group-policy Pioneer_1 attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR />group-policy Pioneer1 internal<BR />group-policy Pioneer1 attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value Pioneer1_splitTunnelAcl<BR />group-policy Pioneer1_1 internal<BR />group-policy Pioneer1_1 attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value Pioneer1_splitTunnelAcl_1<BR />tunnel-group Pioneer1 type ipsec-ra<BR />tunnel-group Pioneer1 general-attributes<BR /> address-pool pioneer<BR /> default-group-policy Pioneer1_1<BR />tunnel-group Pioneer1 ipsec-attributes<BR /> pre-shared-key *<BR />!<BR />class-map inspection_default<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR /> parameters<BR /> message-length maximum 512<BR />policy-map global_policy<BR /> class inspection_default<BR /> inspect dns preset_dns_map <BR /> inspect ftp <BR /> inspect h323 h225 <BR /> inspect h323 ras <BR /> inspect rsh <BR /> inspect rtsp <BR /> inspect esmtp <BR /> inspect sqlnet <BR /> inspect skinny <BR /> inspect sunrpc <BR /> inspect xdmcp <BR /> inspect sip <BR /> inspect netbios <BR /> inspect tftp <BR />!<BR />service-policy global_policy global<BR />prompt hostname context <BR />Cryptochecksum:dd1e0721f6454745145f0dbf3612bff2<BR />: end</P> <P></P> <P>Result of the command: "sho run"</P> <P>: Saved<BR />:<BR />ASA Version 7.2(4) <BR />!<BR />hostname BlaineCountyASA<BR />domain-name default.domain.invalid<BR />enable password WhhvJPvpKzk5zzOx encrypted<BR />passwd bKTsJf.2KSXdgiJu encrypted<BR />names<BR />!<BR />interface Vlan1<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface Vlan2<BR /> nameif outside<BR /> security-level 0<BR /> ip address 64.250.198.160 255.255.255.0 <BR />!<BR />interface Vlan4<BR /> nameif inside<BR /> security-level 100<BR /> ip address 192.168.1.1 255.255.254.0 <BR />!<BR />interface Vlan6<BR /> nameif ASSR-TRSR<BR /> security-level 100<BR /> ip address 192.168.100.2 255.255.255.0 <BR />!<BR />interface Ethernet0/0<BR /> switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/2<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/3<BR /> switchport access vlan 6<BR />!<BR />interface Ethernet0/4<BR /> switchport access vlan 3<BR />!<BR />interface Ethernet0/5<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/6<BR /> switchport access vlan 4<BR />!<BR />interface Ethernet0/7<BR /> switchport access vlan 4<BR />!<BR />ftp mode passive<BR />clock timezone CST -6<BR />clock summer-time CDT recurring<BR />dns server-group DefaultDNS<BR /> domain-name default.domain.invalid<BR />same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />object-group service PC_Anywhere tcp-udp<BR /> description PC Anywhere<BR /> port-object eq 5630<BR /> port-object eq 5631<BR />access-list 101 extended permit tcp host 64.250.192.5 any eq ssh <BR />access-list 101 extended permit tcp host 208.87.239.180 any eq ssh <BR />access-list 101 extended permit tcp host 65.255.81.200 any eq ssh inactive <BR />access-list 101 extended permit tcp host 65.255.81.202 any eq ssh inactive <BR />access-list 101 extended permit tcp any any eq www <BR />access-list 101 extended permit tcp any any eq 59002 <BR />access-list 101 extended permit udp any any eq 59002 <BR />access-list 101 extended permit ip any host 64.250.198.162 inactive <BR />access-list 101 extended permit tcp any any eq 3389 <BR />access-list 101 extended permit tcp any host 64.250.198.161 eq pcanywhere-data <BR />access-list 101 extended permit tcp 64.250.194.240 255.255.255.248 any eq telnet <BR />access-list 101 extended permit ip any any <BR />access-list 101 extended permit tcp host 64.250.192.5 any eq 8080 <BR />access-list 101 extended permit tcp host 64.250.192.5 any eq telnet <BR />access-list Pioneer_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 <BR />access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 192.168.1.180 255.255.255.252 <BR />access-list inside_nat0_outbound extended permit ip 10.250.50.0 255.255.255.0 10.250.50.200 255.255.255.248 <BR />access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.180 255.255.255.252 <BR />access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.176 255.255.255.240 <BR />access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.240 255.255.255.240 <BR />access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240 <BR />access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224 <BR />access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0 <BR />access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 <BR />access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 <BR />access-list BC-Management_splitTunnelAcl standard permit 10.250.50.0 255.255.255.0 <BR />access-list Pioneer_splitTunnelAcl_1 standard permit host 192.168.1.254 <BR />access-list Pioneer_splitTunnelAcl_2 standard permit host 192.168.1.254 <BR />access-list Pioneer1_splitTunnelAcl standard permit any <BR />access-list Pioneer1_splitTunnelAcl_1 standard permit any <BR />access-list ASSR-TRSR_access_in extended permit ip any any <BR />access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.254.0 <BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside 1500<BR />mtu ASSR-TRSR 1500<BR />ip local pool pioneer 192.168.1.200-192.168.1.210 mask 255.255.255.0<BR />no failover<BR />monitor-interface outside<BR />monitor-interface inside<BR />monitor-interface ASSR-TRSR<BR />icmp unreachable rate-limit 1 burst-size 1<BR />icmp permit any outside<BR />icmp permit any inside<BR />asdm image disk0:/asdm-524.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />global (outside) 1 interface<BR />nat (inside) 0 access-list inside1_nat0_outbound<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />nat (ASSR-TRSR) 0 access-list inside_nat0_outbound<BR />nat (ASSR-TRSR) 1 0.0.0.0 0.0.0.0<BR />static (inside,outside) tcp 64.250.198.161 ssh 192.168.1.254 ssh netmask 255.255.255.255 <BR />static (inside,outside) tcp interface ssh 192.168.100.1 ssh netmask 255.255.255.255 <BR />static (inside,outside) tcp interface 59002 192.168.1.15 59002 netmask 255.255.255.255 <BR />static (inside,outside) udp interface 59002 192.168.1.15 59002 netmask 255.255.255.255 <BR />static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255 <BR />static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255 <BR />static (inside,outside) tcp 64.250.198.161 pcanywhere-data 192.168.1.201 pcanywhere-data netmask 255.255.255.255 <BR />static (inside,outside) tcp interface 8080 192.168.1.254 8080 netmask 255.255.255.255 <BR />static (inside,outside) udp 64.250.198.161 pcanywhere-status 192.168.1.201 pcanywhere-status netmask 255.255.255.255 <BR />access-group 101 in interface outside<BR />access-group ASSR-TRSR_access_in in interface ASSR-TRSR<BR />route outside 0.0.0.0 0.0.0.0 64.250.198.1 1<BR />route inside 10.250.50.0 255.255.255.0 192.168.1.2 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />aaa authentication enable console LOCAL <BR />aaa authentication ssh console LOCAL <BR />aaa authentication http console LOCAL <BR />aaa authentication serial console LOCAL <BR />aaa authentication telnet console LOCAL <BR />aaa authorization command LOCAL <BR />http server enable 444<BR />http 0.0.0.0 0.0.0.0 outside<BR />http 0.0.0.0 0.0.0.0 inside<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart<BR />crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac <BR />crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <BR />crypto dynamic-map outside_dyn_map 20 set pfs <BR />crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5<BR />crypto dynamic-map outside_dyn_map 40 set pfs group1<BR />crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 60 set pfs group1<BR />crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 80 set pfs group1<BR />crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5<BR />crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA<BR />crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA<BR />crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map<BR />crypto map outside_map interface outside<BR />crypto isakmp enable outside<BR />crypto isakmp policy 10<BR /> authentication pre-share<BR /> encryption 3des<BR /> hash sha<BR /> group 2<BR /> lifetime 86400<BR />telnet 64.250.192.0 255.255.255.0 outside<BR />telnet 0.0.0.0 0.0.0.0 inside<BR />telnet timeout 5<BR />ssh 64.250.194.240 255.255.255.248 outside<BR />ssh 65.255.81.200 255.255.255.255 outside<BR />ssh 65.255.81.202 255.255.255.255 outside<BR />ssh 64.250.192.0 255.255.255.0 outside<BR />ssh 208.87.239.180 255.255.255.255 outside<BR />ssh 0.0.0.0 0.0.0.0 inside<BR />ssh timeout 5<BR />ssh version 2<BR />console timeout 0<BR />dhcpd dns 64.250.192.64 64.250.192.65<BR />!<BR />dhcpd address 192.168.1.50-192.168.1.175 inside<BR />dhcpd enable inside<BR />!<BR />dhcpd address 192.168.100.75-192.168.100.99 ASSR-TRSR<BR />dhcpd enable ASSR-TRSR<BR />!</P> <P>group-policy Pioneer internal<BR />group-policy Pioneer attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value Pioneer_splitTunnelAcl_2<BR />group-policy Pioneer_1 internal<BR />group-policy Pioneer_1 attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR />group-policy Pioneer1 internal<BR />group-policy Pioneer1 attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value Pioneer1_splitTunnelAcl<BR />group-policy Pioneer1_1 internal<BR />group-policy Pioneer1_1 attributes<BR /> dns-server value 64.250.192.64 64.250.192.65<BR /> vpn-tunnel-protocol IPSec <BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value Pioneer1_splitTunnelAcl_1<BR />username guest password XCliFt2XshXZoRA9 encrypted<BR />username sposterholt password boIS4rk/El4peTMY encrypted privilege 15<BR />username jasanders password eoghszRiUaeEwUGS encrypted privilege 15<BR />username jfreherman password yf0ptveeGqORs3H3 encrypted privilege 15<BR />tunnel-group Pioneer1 type ipsec-ra<BR />tunnel-group Pioneer1 general-attributes<BR /> address-pool pioneer<BR /> default-group-policy Pioneer1_1<BR />tunnel-group Pioneer1 ipsec-attributes<BR /> pre-shared-key *<BR />!<BR />class-map inspection_default<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR /> parameters<BR /> message-length maximum 512<BR />policy-map global_policy<BR /> class inspection_default<BR /> inspect dns preset_dns_map <BR /> inspect ftp <BR /> inspect h323 h225 <BR /> inspect h323 ras <BR /> inspect rsh <BR /> inspect rtsp <BR /> inspect esmtp <BR /> inspect sqlnet <BR /> inspect skinny <BR /> inspect sunrpc <BR /> inspect xdmcp <BR /> inspect sip <BR /> inspect netbios <BR /> inspect tftp <BR />!<BR />service-policy global_policy global<BR />prompt hostname context <BR />Cryptochecksum:dd1e0721f6454745145f0dbf3612bff2<BR />: end</P> Tue, 12 Mar 2019 09:18:20 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027939#M135963 fisherman0302 2019-03-12T09:18:20Z Could you please attach a https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027940#M135964 <P>Could you please attach a packet-tracer output.</P> <P></P> <P>-</P> <P>AJ</P> Wed, 03 May 2017 12:44:42 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027940#M135964 Ajay Saini 2017-05-03T12:44:42Z Result of the command: https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027941#M135965 <P>Result of the command: "packet-tracer input inside rawip 192.168.1.5 80 192.168.100.5"</P> <P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found no matching flow, creating a new flow</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 192.168.100.0 255.255.255.0 ASSR-TRSR</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: <BR />Result: DROP<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /> match ip inside any ASSR-TRSR any<BR /> dynamic translation to pool 1 (No matching global)<BR /> translate_hits = 3, untranslate_hits = 0<BR />Additional Information:</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: ASSR-TRSR<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Wed, 03 May 2017 13:17:01 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027941#M135965 fisherman0302 2017-05-03T13:17:01Z Phase: 5Type: NATSubtype: https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027942#M135966 <P><STRONG>Phase: 5</STRONG><BR /><STRONG>Type: NAT</STRONG><BR /><STRONG>Subtype: </STRONG><BR /><STRONG>Result: DROP</STRONG><BR /><STRONG>Config:</STRONG><BR /><STRONG>nat (inside) 1 0.0.0.0 0.0.0.0</STRONG><BR /><STRONG>match ip inside any ASSR-TRSR any</STRONG><BR /><STRONG>dynamic translation to pool 1 (No matching global)</STRONG><BR /><STRONG>translate_hits = 3, untranslate_hits = 0</STRONG><BR /><STRONG>Additional Information:</STRONG></P> <P></P> <P></P> <P>Yeah, so here is the issue. We don't have global statement corresponding to NAT statement.&nbsp;</P> <P></P> <P>If you add below statement, it should work. This will PAT the source user to ASSR-TRSR interface while trying to access the 192.168.100.0/24 network.</P> <P><SPAN>global (ASSR-TRSR) 1 interface</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>HTH</SPAN></P> <P><SPAN>-AJ</SPAN></P> <P><SPAN></SPAN></P> Wed, 03 May 2017 13:21:06 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027942#M135966 Ajay Saini 2017-05-03T13:21:06Z here is the fail now on https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027943#M135967 <P>here is the fail now on packet tracer.</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: <BR />Result: DROP<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /> match ip inside any ASSR-TRSR any<BR /> dynamic translation to pool 1 (192.168.100.2 [Interface PAT])<BR /> translate_hits = 4, untranslate_hits = 0<BR />Additional Information:</P> Wed, 03 May 2017 13:24:58 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027943#M135967 fisherman0302 2017-05-03T13:24:58Z Could you please attach the https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027944#M135968 <P>Could you please attach the complete output.&nbsp;</P> Wed, 03 May 2017 13:31:48 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027944#M135968 Ajay Saini 2017-05-03T13:31:48Z Result of the command: https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027945#M135969 <P>Result of the command: "packet-tracer input inside rawip 192.168.1.5 80 192.168.100.5"</P> <P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found no matching flow, creating a new flow</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 192.168.100.0 255.255.255.0 ASSR-TRSR</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: <BR />Result: DROP<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /> match ip inside any ASSR-TRSR any<BR /> dynamic translation to pool 1 (192.168.100.2 [Interface PAT])<BR /> translate_hits = 4, untranslate_hits = 0<BR />Additional Information:</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: ASSR-TRSR<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Wed, 03 May 2017 13:33:24 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027945#M135969 fisherman0302 2017-05-03T13:33:24Z The NAT statements are kind https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027946#M135970 <P>The NAT statements are kind of strange and not sure what is the overall purpose. Looks like there is no NAT for the traffic coming from ASSR-TRSR to inside. For testing, could you please add below statement and let me know if it works:</P> <P></P> <P>static (ASSR-TRSR,inside) static 192.168.100.5 192.168.100.5</P> <P></P> <P>-</P> <P>AJ</P> Wed, 03 May 2017 13:50:00 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027946#M135970 Ajay Saini 2017-05-03T13:50:00Z We have a few nat statements https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027947#M135971 <P>We have a few nat statements for outside access back in. &nbsp;Pretty much all others were made in troubleshooting this issue of trying to get these networks to talk to each other. &nbsp;It is still failing. &nbsp;</P> <P></P> <P>Result of the command: "packet-tracer input inside rawip 192.168.1.5 80 192.168.100.5"</P> <P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found no matching flow, creating a new flow</P> <P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 <BR /> match ip ASSR-TRSR host 192.168.100.5 inside any<BR /> static translation to 192.168.100.5<BR /> translate_hits = 0, untranslate_hits = 1<BR />Additional Information:<BR />NAT divert to egress interface ASSR-TRSR<BR />Untranslate 192.168.100.5/0 to 192.168.100.5/0 using netmask 255.255.255.255</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: <BR />Result: DROP<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /> match ip inside any ASSR-TRSR any<BR /> dynamic translation to pool 1 (192.168.100.2 [Interface PAT])<BR /> translate_hits = 5, untranslate_hits = 0<BR />Additional Information:</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: ASSR-TRSR<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Wed, 03 May 2017 13:54:57 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027947#M135971 fisherman0302 2017-05-03T13:54:57Z If not needed, could you https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027948#M135972 <P>If not needed, could you please remove below NAT statements.</P> <P></P> <P><SPAN>nat (inside) 0 access-list inside1_nat0_outbound</SPAN><BR /><BR /><SPAN>nat (ASSR-TRSR) 0 access-list inside_nat0_outbound</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Once done, please try to initiate a packet-tracer and let me know how it goes.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>-AJ</SPAN></P> Wed, 03 May 2017 14:32:55 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027948#M135972 Ajay Saini 2017-05-03T14:32:55Z We get the same response- https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027949#M135973 <P>We get the same response-</P> <P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found no matching flow, creating a new flow</P> <P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 <BR />&nbsp; match ip ASSR-TRSR host 192.168.100.5 inside any<BR />&nbsp;&nbsp;&nbsp; static translation to 192.168.100.5<BR />&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 1<BR />Additional Information:<BR />NAT divert to egress interface ASSR-TRSR<BR />Untranslate 192.168.100.5/0 to 192.168.100.5/0 using netmask 255.255.255.255</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW <BR />Config:<BR />Implicit Rule<BR />Additional Information:</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: <BR />Result: DROP<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />&nbsp; match ip inside any ASSR-TRSR any<BR />&nbsp;&nbsp;&nbsp; dynamic translation to pool 1 (No matching global)<BR />&nbsp;&nbsp;&nbsp; translate_hits = 308, untranslate_hits = 0<BR />Additional Information:</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: ASSR-TRSR<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Wed, 03 May 2017 21:20:08 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027949#M135973 jasanders 2017-05-03T21:20:08Z Could you please make sure we https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027950#M135974 <P>Could you please make sure we also have in config:</P> <P></P> <P><SPAN>global (ASSR-TRSR) 1 interface</SPAN></P> <P><BR /><SPAN></SPAN></P> <P>-AJ</P> Thu, 04 May 2017 12:40:53 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027950#M135974 Ajay Saini 2017-05-04T12:40:53Z icmp permit any insideasdm https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027951#M135975 <P>icmp permit any inside<BR />asdm image disk0:/asdm-524.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />global (outside) 1 interface<BR />global (ASSR-TRSR) 1 interface<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />nat (ASSR-TRSR) 1 0.0.0.0 0.0.0.0</P> Thu, 04 May 2017 20:41:29 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027951#M135975 fisherman0302 2017-05-04T20:41:29Z Please run a packet-tracer https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027952#M135976 <P>Please run a packet-tracer and attach the complete output:</P> <P></P> <P><SPAN>packet-tracer input inside tcp 192.168.1.5 3344 192.168.100.5 80 det&nbsp;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Thu, 04 May 2017 20:50:21 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027952#M135976 Ajay Saini 2017-05-04T20:50:21Z Result of the command: https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027953#M135977 <P>Result of the command: "packet-tracer input inside tcp 192.168.1.5 3344 192.168.100.5 80 det"</P> <P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found no matching flow, creating a new flow</P> <P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 <BR /> match ip ASSR-TRSR host 192.168.100.5 inside any<BR /> static translation to 192.168.100.5<BR /> translate_hits = 0, untranslate_hits = 5<BR />Additional Information:<BR />NAT divert to egress interface ASSR-TRSR<BR />Untranslate 192.168.100.5/0 to 192.168.100.5/0 using netmask 255.255.255.255</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x3ca63f8, priority=2, domain=permit, deny=false<BR /> hits=539, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x3ca8700, priority=0, domain=permit-ip-option, deny=true<BR /> hits=7993885, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /> match ip inside any ASSR-TRSR any<BR /> dynamic translation to pool 1 (192.168.100.2 [Interface PAT])<BR /> translate_hits = 312, untranslate_hits = 0<BR />Additional Information:<BR />Dynamic translate 192.168.1.5/3344 to 192.168.100.2/1024 using netmask 255.255.255.255<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x44e48d8, priority=1, domain=nat, deny=false<BR /> hits=311, user_data=0x44e4868, cs_id=0x0, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 6<BR />Type: NAT<BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /> match ip inside any outside any<BR /> dynamic translation to pool 1 (64.250.198.160 [Interface PAT])<BR /> translate_hits = 5227811, untranslate_hits = 323804<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x43f7c48, priority=1, domain=host, deny=false<BR /> hits=5385526, user_data=0x473c938, cs_id=0x0, reverse, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 <BR /> match ip ASSR-TRSR host 192.168.100.5 inside any<BR /> static translation to 192.168.100.5<BR /> translate_hits = 0, untranslate_hits = 5<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> out id=0x3c5ac28, priority=5, domain=nat-reverse, deny=false<BR /> hits=0, user_data=0x3c88f68, cs_id=0x0, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=192.168.100.5, mask=255.255.255.255, port=0, dscp=0x0</P> <P>Phase: 8<BR />Type: NAT<BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 <BR /> match ip ASSR-TRSR host 192.168.100.5 inside any<BR /> static translation to 192.168.100.5<BR /> translate_hits = 0, untranslate_hits = 5<BR />Additional Information:<BR /> Reverse Flow based lookup yields rule:<BR /> in id=0x3d2bc08, priority=5, domain=host, deny=false<BR /> hits=5, user_data=0x3c88f68, cs_id=0x0, reverse, flags=0x0, protocol=0<BR /> src ip=192.168.100.5, mask=255.255.255.255, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 9<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /> Reverse Flow based lookup yields rule:<BR /> in id=0x3cd76f8, priority=0, domain=permit-ip-option, deny=true<BR /> hits=3248330, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 10<BR />Type: FLOW-CREATION<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 12604650, packet dispatched to next module<BR />Module information for forward flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_tcp_normalizer<BR />snp_fp_translate<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P> <P>Module information for reverse flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_translate<BR />snp_fp_tcp_normalizer<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: ASSR-TRSR<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> <P></P> Thu, 04 May 2017 20:54:02 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027953#M135977 fisherman0302 2017-05-04T20:54:02Z This looks good. The actual https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027954#M135978 <P>This looks good. The actual traffic should work as well. I don't know what you tried earlier.</P> <P></P> <P>HTH</P> <P>-AJ</P> Thu, 04 May 2017 20:59:40 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027954#M135978 Ajay Saini 2017-05-04T20:59:40Z works from inside to ASSR but https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027955#M135979 <P>works from inside to ASSR but not the other way around.</P> <P>Result of the command: "packet-tracer input ASSR-TRSR tcp 192.168.100.5 3344 192.168.1.5 80 det"</P> <P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found no matching flow, creating a new flow</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 192.168.0.0 255.255.254.0 inside</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group ASSR-TRSR_access_in in interface ASSR-TRSR<BR />access-list ASSR-TRSR_access_in extended permit ip any any <BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x3c77c08, priority=12, domain=permit, deny=false<BR /> hits=238742, user_data=0x3c84908, cs_id=0x0, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x3cd76f8, priority=0, domain=permit-ip-option, deny=true<BR /> hits=3249053, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 <BR /> match ip ASSR-TRSR host 192.168.100.5 inside any<BR /> static translation to 192.168.100.5<BR /> translate_hits = 4, untranslate_hits = 6<BR />Additional Information:<BR />Static translate 192.168.100.5/0 to 192.168.100.5/0 using netmask 255.255.255.255<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x473dde8, priority=5, domain=nat, deny=false<BR /> hits=3, user_data=0x3c88f68, cs_id=0x0, flags=0x0, protocol=0<BR /> src ip=192.168.100.5, mask=255.255.255.255, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 6<BR />Type: NAT<BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 <BR /> match ip ASSR-TRSR host 192.168.100.5 inside any<BR /> static translation to 192.168.100.5<BR /> translate_hits = 4, untranslate_hits = 6<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x3d2bc08, priority=5, domain=host, deny=false<BR /> hits=15, user_data=0x3c88f68, cs_id=0x0, reverse, flags=0x0, protocol=0<BR /> src ip=192.168.100.5, mask=255.255.255.255, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR /> match ip inside any ASSR-TRSR any<BR /> dynamic translation to pool 1 (192.168.100.2 [Interface PAT])<BR /> translate_hits = 313, untranslate_hits = 0<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> out id=0x3d17d78, priority=1, domain=nat-reverse, deny=false<BR /> hits=392, user_data=0x44e4868, cs_id=0x0, flags=0x0, protocol=0<BR /> src ip=0.0.0.0, mask=0.0.0.0, port=0<BR /> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Result:<BR />input-interface: ASSR-TRSR<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P></P> Thu, 04 May 2017 20:59:43 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027955#M135979 fisherman0302 2017-05-04T20:59:43Z Thats expected since that is https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027956#M135980 <P>Thats expected since that is a different requirement. If you need communication from both sides, we would need self NAT:</P> <P></P> <P>try below:</P> <P>no&nbsp;<SPAN>static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255 </SPAN></P> <P><SPAN>static (inside,ASSR-TRSR) 192.168.1.0 192.168.1.0 netmask 255.255.255.0</SPAN></P> <P><SPAN>static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>-AJ</SPAN></P> <P><SPAN></SPAN></P> Fri, 05 May 2017 13:26:20 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027956#M135980 Ajay Saini 2017-05-05T13:26:20Z Looking better...we will https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027957#M135981 <P>Looking better...we will update. Thanks so much for your assistance. I have issues working with the older pre-8.3 NAT stuff...</P> <P></P> <P>Judith</P> <P></P> <P>BlaineCountyASA# packet-tracer input inside tcp 192.168.1.5 3344 192.168.100.5$</P> <P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found no matching flow, creating a new flow</P> <P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 <BR />&nbsp; match ip ASSR-TRSR 192.168.100.0 255.255.255.0 inside any<BR />&nbsp;&nbsp;&nbsp; static translation to 192.168.100.0<BR />&nbsp;&nbsp;&nbsp; translate_hits = 1, untranslate_hits = 1<BR />Additional Information:<BR />NAT divert to egress interface ASSR-TRSR<BR />Untranslate 192.168.100.0/0 to 192.168.100.0/0 using netmask 255.255.255.0</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW <BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in&nbsp; id=0x3ca63f8, priority=2, domain=permit, deny=false<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=541, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in&nbsp; id=0x3ca8700, priority=0, domain=permit-ip-option, deny=true<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=8040721, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />Result: ALLOW<BR />Config:<BR />static (inside,ASSR-TRSR) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 <BR />&nbsp; match ip inside 192.168.1.0 255.255.255.0 ASSR-TRSR any<BR />&nbsp;&nbsp;&nbsp; static translation to 192.168.1.0<BR />&nbsp;&nbsp;&nbsp; translate_hits = 1, untranslate_hits = 1<BR />Additional Information:<BR />Static translate 192.168.1.0/0 to 192.168.1.0/0 using netmask 255.255.255.0<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in&nbsp; id=0x4490050, priority=5, domain=nat, deny=false<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=0, user_data=0x44e24f8, cs_id=0x0, flags=0x0, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=192.168.1.0, mask=255.255.255.0, port=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 6<BR />Type: NAT<BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />static (inside,ASSR-TRSR) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 <BR />&nbsp; match ip inside 192.168.1.0 255.255.255.0 ASSR-TRSR any<BR />&nbsp;&nbsp;&nbsp; static translation to 192.168.1.0<BR />&nbsp;&nbsp;&nbsp; translate_hits = 1, untranslate_hits = 1<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in&nbsp; id=0x455df08, priority=5, domain=host, deny=false<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=115, user_data=0x44e24f8, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=192.168.1.0, mask=255.255.255.0, port=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 <BR />&nbsp; match ip ASSR-TRSR 192.168.100.0 255.255.255.0 inside any<BR />&nbsp;&nbsp;&nbsp; static translation to 192.168.100.0<BR />&nbsp;&nbsp;&nbsp; translate_hits = 1, untranslate_hits = 1<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;out id=0x4777290, priority=5, domain=nat-reverse, deny=false<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=0, user_data=0x3c79b88, cs_id=0x0, flags=0x0, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=192.168.100.0, mask=255.255.255.0, port=0, dscp=0x0</P> <P>Phase: 8<BR />Type: NAT&nbsp;&nbsp;&nbsp;&nbsp; <BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 <BR />&nbsp; match ip ASSR-TRSR 192.168.100.0 255.255.255.0 inside any<BR />&nbsp;&nbsp;&nbsp; static translation to 192.168.100.0<BR />&nbsp;&nbsp;&nbsp; translate_hits = 1, untranslate_hits = 1<BR />Additional Information:<BR />&nbsp;Reverse Flow based lookup yields rule:<BR />&nbsp;in&nbsp; id=0x454cae8, priority=5, domain=host, deny=false<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=8, user_data=0x3c79b88, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=192.168.100.0, mask=255.255.255.0, port=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 9<BR />Type: IP-OPTIONS<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />&nbsp;Reverse Flow based lookup yields rule:<BR />&nbsp;in&nbsp; id=0x3cd76f8, priority=0, domain=permit-ip-option, deny=true<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=3266191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P> <P>Phase: 10<BR />Type: FLOW-CREATION<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 12676367, packet dispatched to next module<BR />Module information for forward flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_tcp_normalizer<BR />snp_fp_translate<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P> <P>Module information for reverse flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_translate<BR />snp_fp_tcp_normalizer<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: ASSR-TRSR<BR />output-status: up<BR />output-line-status</P> Fri, 05 May 2017 13:55:34 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027957#M135981 jasanders 2017-05-05T13:55:34Z Glad to help. Please rate and https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027958#M135982 <P>Glad to help. Please rate and mark answer as correct if it helped.</P> <P></P> <P>-AJ</P> Fri, 05 May 2017 16:20:58 GMT https://community.cisco.com/t5/network-security/dynamic-nat-pat-problems/m-p/3027958#M135982 Ajay Saini 2017-05-05T16:20:58Z