Cisco ASA v8.2(4) - No matching global NAT problem.

Daave2016 — Tue, 12 Mar 2019 07:23:58 GMT

Hello,

I am new in Cisco ASA Firewalls. Now I'm using Cisco ASA with IOS Version 8.2(4). Appliance is configured and properly working, but I need to make some configuration changes. I want to allow communication between VLANs: 80 (emp) and 101 (storage). To do that I have put following command to avoid translation between VLANs:

static (emp,storage) 10.1.8.0 10.1.8.0 netmask 255.255.255.0

but it doesn't work:

# packet-tracer input emp tcp 10.1.8.10 www 172.16.0.254 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   storage

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group emp_acl in interface emp
access-list emp_acl extended permit ip 10.1.8.0 255.255.255.0 any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (emp,storage) 10.1.8.0 10.1.8.0 netmask 255.255.255.0
match ip emp 10.1.8.0 255.255.255.0 storage any
    static translation to 10.1.8.0
    translate_hits = 131, untranslate_hits = 19
Additional Information:
Static translate 10.1.8.0/0 to 10.1.8.0/0 using netmask 255.255.255.0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (emp,BMS) 10.1.8.0 10.1.8.0 netmask 255.255.255.0
match ip emp 10.1.8.0 255.255.255.0 BMS any
    static translation to 10.1.8.0
    translate_hits = 3187127, untranslate_hits = 3209014
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (storage) 1 172.16.0.0 255.255.255.0
match ip storage 172.16.0.0 255.255.255.0 emp any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 3, untranslate_hits = 0
Additional Information:

Result:
input-interface: emp
input-status: up
input-line-status: up
output-interface: storage
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

---

I am confused because communication between VLANs 100 and 101 occurs:

# packet-tracer input mgm tcp 10.1.10.200 www 172.16.0.254 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   storage

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgm_acl in interface mgm
access-list mgm_acl extended permit ip 10.1.10.0 255.255.255.0 any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgm,storage) 10.1.10.0 10.1.10.0 netmask 255.255.255.0
match ip mgm 10.1.10.0 255.255.255.0 storage any
    static translation to 10.1.10.0
    translate_hits = 2413235, untranslate_hits = 219750
Additional Information:
Static translate 10.1.10.0/0 to 10.1.10.0/0 using netmask 255.255.255.0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgm,DNS) 10.1.10.0 10.1.10.0 netmask 255.255.255.0
match ip mgm 10.1.10.0 255.255.255.0 DNS any
    static translation to 10.1.10.0
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (storage,BMS) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
match ip storage 172.16.0.0 255.255.255.0 BMS any
    static translation to 172.16.0.0
    translate_hits = 66, untranslate_hits = 1138372
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 287955213, packet dispatched to next module

Result:
input-interface: mgm
input-status: up
input-line-status: up
output-interface: storage
output-status: up
output-line-status: up
Action: allow

---

Current config below:

!
interface GigabitEthernet0/1.80
vlan 80
nameif emp
security-level 90
ip address 10.1.8.1 255.255.255.0 standby 10.1.8.2
!
interface GigabitEthernet0/1.100
vlan 100
nameif mgm
security-level 100
ip address 10.1.10.1 255.255.255.0 standby 10.1.10.2
!
interface GigabitEthernet0/1.101
vlan 101
nameif storage
security-level 91
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
!
...
!
global (outside) 1 XX.YY.ZZ.238
global (outside) 2 XX.YY.ZZ.237
global (outside) 3 XX.YY.ZZ.236
global (outside) 4 XX.YY.ZZ.235
global (outside) 5 XX.YY.ZZ.100
global (outside) 6 XX.YY.ZZ.160
global (outside) 7 192.168.1.10
global (outside) 8 XX.YY.ZZ.112
nat (BMS) 0 access-list r-vpn
nat (BMS) 1 10.1.0.0 255.255.254.0
nat (blue) 5 10.1.2.0 255.255.255.0
nat (grey) 8 10.1.12.0 255.255.255.0
nat (parking) 3 10.44.9.0 255.255.255.0
nat (emp) 0 access-list r-vpn
nat (emp) 6 10.1.8.0 255.255.255.0
nat (mgm) 2 10.1.10.0 255.255.255.0
nat (storage) 1 172.16.0.0 255.255.255.0
!
...
!
static (mgm,storage) 10.1.10.0 10.1.10.0 netmask 255.255.255.0
static (emp,storage) 10.1.8.0 10.1.8.0 netmask 255.255.255.0
!
...

---

What should I do?
Modify: nat (storage) 1 172.16.0.0 255.255.255.0 or increase VLANs 80 security-level to 91?

I am assuming you have NAT

Marius Gunnerud — Thu, 25 Feb 2016 11:51:48 GMT

I am assuming you have NAT control configure?

show run nat-control

I would suggest either disabling nat-control or adding a nat 0 statement for the storage interface.

Personally I would disable nat-control.

raising the security level will not have any effect in this situation. And if you have access-lists configured on the interfaces the security levels are not even used.

Please remember to select a correct answer and rate helpful posts

Hello Marius,

Daave2016 — Thu, 25 Feb 2016 11:56:52 GMT

Hello Marius,

Thank you for the response.

The nat-control is disabled:

ASA-5520-1p2-CORE# show run nat-control
no nat-control

So the only way is to add nat 0 statement for the storage interface?

Why I don't have any problems with communication between mgm and storage?

topic Hello Marius, in Network Security

Cisco ASA v8.2(4) - No matching global NAT problem.

I am assuming you have NAT

Hello Marius,