topic Cisco ASA (8.6) pat-pool not working for dynamic NAT. in Network Security

Cisco ASA (8.6) pat-pool not working for dynamic NAT.

ashabe003 — Tue, 12 Mar 2019 07:02:15 GMT

In Cisco ASA (5515, 8.6), NAT is working only for outside interface but when I configured NAT using Public-IP pool, it didn’t translate the local IP.

Like –

interface GigabitEthernet0 
nameif inside 
security-level 100
ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet1
 nameif outside
 security-level 0
ip address 120.122.50.2 255.255.255.252
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network LAN-USER 
range 192.168.150.0 192.168.150.100
!
object network Public-IP-Pool
range 110.80.20.2 110.80.20.3
!
access-list OUT-IN extended permit ip any any
access-list IN-OUT extended permit ip any any
!
access-group IN-OUT in interface inside
access-group OUT-IN in interface outside
!
route outside 0.0.0.0 0.0.0.0 120.122.50.1
route inside 192.168.150.0 255.255.255.0 10.10.10.2
!
nat (inside,outside) source dynamic LAN-USER interface
!

Above NAT configuration is working fine but when try to use Public-IP pool its not working, like -

nat (inside,outside) source dynamic LAN-USER pat-pool Public-IP-Pool

Troubleshooting steps was –

Remove existing NAT –

no nat (inside,outside) source dynamic LAN-USER interface
clear xlate
nat (inside,outside) source dynamic LAN-USER pat-pool Public-IP-Pool

Also tried,

object network LAN-USER
range 192.168.150.0 192.168.150.100
!
object network Public-IP
host 110.80.20.4
!
nat (inside,outside) source dynamic LAN-USER Public-IP

Above configuration also not working.

Run packet-tracer command, showed all phase allowed.

Any help would be greatly appreciated.

Thanks in advance.

Hi,

Shivapramod M — Wed, 16 Dec 2015 01:24:34 GMT

Hi,

This does not look like the configuration issue,

Can you provide the output of the packet tracer which is taken on CLI.

-packet-tracer in inside icmp 192.168.150.10 8 0 4.2.2.2 det

Also provide the output of the "show xlate"

Are you seeing any log in ASDM when you initiate the traffic from 192.168.150.0 subnet?

You can try to take the capture on inside and outside interface using real traffic to verify whether the ASA is passing the traffic or not.

cap capin int insde match icmp host <source IP> host <dest IP>

cap capout int outside match icmp any host <dest IP>

to view the captures "show cap capin" and "show cap capout"

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi,

Akshay Rastogi — Wed, 16 Dec 2015 05:38:11 GMT

Hi,

Please run the below command :

conf t)#arp permit-nonconnected

This command was added from version 8.4.5 for permitting arp request coming for non connected subnet:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a3.html#pgfId-1837762

The pool you are using for dynamic nat is in different subnet than Outside interface. You ASA Outside interface would not respond to the ARP query coming from Upstream Device.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Hi Shivapramod M,

ashabe003 — Wed, 16 Dec 2015 05:38:37 GMT

Hi Shivapramod M,

Thanks for your response.

Please find the attached file of packet-tracer output.

I apologize; I’m currently out of the office. Later I’ll provide you the “show xlate” output.

In time of initiate the traffic from 192.168.150.0 subnet, got ASDM log like –

“ Deny TCP reverse path check from 192.168.150.2 to 8.8.8.8 on interface outside “

Hi

ashabe003 — Thu, 17 Dec 2015 09:17:41 GMT

Please find the attached logs file.

And this time didn’t find any ASDM log.

Thanks.

Hi ,

ashabe003 — Thu, 17 Dec 2015 09:21:23 GMT

Hi ,

(conf ig)#arp permit-nonconnected

This command is not working in my ASA (8.6). I think its not ARP related issue because dynamic NAT translation is working for interface like –

# nat (inside,outside) source dynamic LAN-USER interface

But not working for Public-IP-Pool or single Public-IP. Configured that Public –IP in workstation which want to use for NAT translate and its working.

Thanks.

Hi,

Shivapramod M — Thu, 17 Dec 2015 09:31:07 GMT

Hi,

It looks like the response is not coming back to ASA. The ICMp request is correctly transmitting by ASA with the correct NAT address but there is no response.

Even if the firewall is dropping we should see the packets in the capture. Usually only hardware drops on the interface will not be captured in the capture. You may have to check the upstream devices.

Since the PAT IP does not belong to the same subnet as the firewall interface this might be ARP issue. The command arp permit-nonconnected is not available in 8.6

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/intro_intro.html#wp1325357

You can try to configure the NAT with the interface IP, if this works then it should be issue about arp itself and you may have to upgrade the device

object network LAN-USER
 nat (inside,outside) dynamic interface

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi,

ashabe003 — Thu, 17 Dec 2015 10:43:12 GMT

Hi,

I already mention that NAT is working with interface IP for LAN-USER object but I want to use PAT IP or single Public IP for NAT translates.

I omitted point to point subnet IP and used same subnet for both interface and PAT IP but same result as before, dynamic interface is working but not PAT IP.

Maybe need to check the upstream devices.

Thanks a lot for your time.

Hi,

Akshay Rastogi — Thu, 17 Dec 2015 14:46:28 GMT

Hi,

It is an arp issue with mapped ip not in the same subnet as outside interface. Please add the route on next hop router for this mapped ip pointing towards ASA outside interface IP. It is an ARP issue. The next hop has no arp entry or route to send the packet back to ASA.

Hope it helps.

Regards,

Akshay Rastogi