https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842023#M459187 <HTML><HEAD></HEAD><BODY><P>Hello Jason,</P><P></P><P>As I can see on the first post, You want to be able to go to the outside:</P><P></P><P>So on the No_nat rules you only need the networks for the VPN, nothing more. </P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Also&nbsp; <SPAN style="background-color: #ffffff; font-family: Arial, verdana, sans-serif; font-size: 12px;">access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252</SPAN></STRONG></SPAN></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif;"><SPAN style="text-decoration: underline;"><STRONG>is the network for my ISP</STRONG></SPAN></P><P></P><P>Why are you doing that??? I mean traffic should get nat it, dont you think-</P></BODY></HTML> Sat, 18 Feb 2012 03:23:19 GMT Julio Carvajal 2012-02-18T03:23:19Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842020#M459182 <P>I can't figure out why the ASA cannot send traffic to the internet with the below config. What did I do wrong?</P><P></P><P>interface Ethernet0/0</P><P> nameif Outside</P><P> security-level 0</P><P> ip address 4.28.x.x 255.255.255.252</P><P>!</P><P>interface Ethernet0/3</P><P> nameif Inside</P><P> security-level 100</P><P> ip address 172.18.170.1 255.255.255.0</P><P></P><P>access-list VibraRemote_splitTunnelAcl standard permit 172.18.170.0 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Level3-SIP 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip Level3-SIP 255.255.255.0 172.18.170.0 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.170.0 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Corporate 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Poway 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 LaSierra 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Fontana 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 MorenoValley 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Woodcrest 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 HighDesert 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.193.0 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Westminster 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Lakewood 255.255.255.0</P><P></P><P>global (Outside) 1 interface</P><P>nat (Inside) 0 access-list Inside_nat0_outbound</P><P>nat (Inside) 1 0.0.0.0 0.0.0.0</P><P>route Outside 0.0.0.0 0.0.0.0 4.28.x.x 1</P><P>route Inside Level3-SIP 255.255.255.0 172.18.170.3 1</P> Mon, 11 Mar 2019 22:31:38 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842020#M459182 jasonww04 2019-03-11T22:31:38Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842021#M459183 <HTML><HEAD></HEAD><BODY><P>Are there any NAT 0 access lists that specify the destination you're tryin to reach?&nbsp; The PAT configuration is correct.&nbsp; Try a packet tracer and see what NAT configurations it hits </P></BODY></HTML> Fri, 17 Feb 2012 19:18:58 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842021#M459183 Patrick0711 2012-02-17T19:18:58Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842022#M459185 <HTML><HEAD></HEAD><BODY><P>There aren't but the line </P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252</P><P>is the network for my ISP.</P><P></P><P>I took it out and I still can't ping. I'm trying "ping Inside 75.71.47.74"</P></BODY></HTML> Fri, 17 Feb 2012 19:30:48 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842022#M459185 jasonww04 2012-02-17T19:30:48Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842023#M459187 <HTML><HEAD></HEAD><BODY><P>Hello Jason,</P><P></P><P>As I can see on the first post, You want to be able to go to the outside:</P><P></P><P>So on the No_nat rules you only need the networks for the VPN, nothing more. </P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Also&nbsp; <SPAN style="background-color: #ffffff; font-family: Arial, verdana, sans-serif; font-size: 12px;">access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252</SPAN></STRONG></SPAN></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif;"><SPAN style="text-decoration: underline;"><STRONG>is the network for my ISP</STRONG></SPAN></P><P></P><P>Why are you doing that??? I mean traffic should get nat it, dont you think-</P></BODY></HTML> Sat, 18 Feb 2012 03:23:19 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842023#M459187 Julio Carvajal 2012-02-18T03:23:19Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842024#M459188 <HTML><HEAD></HEAD><BODY><P>Why are you performing a "ping Inside 75.71.47.74"?&nbsp; This command is sourcing a ping from the inside interface which is exempt from NAT so I would expect this to be PAT'd</P></BODY></HTML> Sat, 18 Feb 2012 03:28:19 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842024#M459188 Patrick0711 2012-02-18T03:28:19Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842025#M459189 <HTML><HEAD></HEAD><BODY><P>Err, I meant to say that I would expect that traffic NOT to be PAT'd</P></BODY></HTML> Sat, 18 Feb 2012 03:29:10 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842025#M459189 Patrick0711 2012-02-18T03:29:10Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842026#M459191 <HTML><HEAD></HEAD><BODY><P>This is what my ACL looks like now and still users can't get out.</P><P></P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Level3-SIP 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip Level3-SIP 255.255.255.0 172.18.170.0 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.170.0 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Corporate 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Poway 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 LaSierra 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Fontana 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 MorenoValley 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Woodcrest 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 HighDesert 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.193.0 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Westminster 255.255.255.0</P><P>access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Lakewood 255.255.255.0</P></BODY></HTML> Mon, 20 Feb 2012 15:26:20 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842026#M459191 jasonww04 2012-02-20T15:26:20Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842027#M459193 <HTML><HEAD></HEAD><BODY><P>How would I test if my NAT is correct if I don't start the ping from the inside?</P></BODY></HTML> Tue, 21 Feb 2012 15:27:07 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842027#M459193 jasonww04 2012-02-21T15:27:07Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842028#M459195 <HTML><HEAD></HEAD><BODY><P>you can use the packet-tracer command on the ASA to check if the NAT is correct or not for any specific soruce and destination.</P></BODY></HTML> Tue, 21 Feb 2012 15:29:36 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842028#M459195 Amit Rai 2012-02-21T15:29:36Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842029#M459197 <HTML><HEAD></HEAD><BODY><P>Packet tracer makes no sense to me at all. Here is the result of packet tracer going to an external IP. Why is there no NAT Phase but there is a VPN Phase when 75.71.47.74 cannot be reached through any configured VPN.</P><P></P><P>firewallmchpa# packet-tracer input Outside icmp 172.18.170.1 8 0 75.71.47.74 d$</P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside</P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xab7e3f20, priority=3, domain=permit, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=3, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 3</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xab7e5a08, priority=0, domain=inspect-ip-options, deny=true</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=351541, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 4</P><P>Type: INSPECT</P><P>Subtype: np-inspect</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xab7e5680, priority=66, domain=inspect-icmp-error, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=12878, user_data=0xab7e5568, cs_id=0x0, use_real_addr, flags=0x0, protocol=1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 5</P><P>Type: VPN</P><P>Subtype: ipsec-tunnel-flow</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xac1465f8, priority=12, domain=ipsec-tunnel-flow, deny=true</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=141699, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 6</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 146737, packet dispatched to next module</P><P>Module information for forward flow ...</P><P>snp_fp_tracer_drop</P><P>snp_fp_inspect_ip_options</P><P>snp_fp_adjacency</P><P>snp_fp_fragment</P><P>snp_ifc_stat</P><P></P><P>Module information for reverse flow ...</P><P></P><P>Result:</P><P>input-interface: Outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P></BODY></HTML> Tue, 21 Feb 2012 16:46:35 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842029#M459197 jasonww04 2012-02-21T16:46:35Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842030#M459199 <HTML><HEAD></HEAD><BODY><P>This will probably sound fairly stupid, but I have run into this at least 3 times in the past with new ASA installations. I always had to reboot the ASA once before the NAT would actually function if I set it up after it was already plugged in, otherwise the NAT setup looks perfectly fine assuming your NAT exemptions don't match the thing you are trying to hit. You may want to do testing with something like 4.2.2.2 so you know it will respond to ICMP.</P></BODY></HTML> Tue, 21 Feb 2012 16:58:28 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842030#M459199 Keith McElroy 2012-02-21T16:58:28Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842031#M459201 <HTML><HEAD></HEAD><BODY><P>Is there something in the ASA equivalent to a router's clear ip nat translations *?</P></BODY></HTML> Tue, 21 Feb 2012 17:15:50 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842031#M459201 jasonww04 2012-02-21T17:15:50Z https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842032#M459202 <HTML><HEAD></HEAD><BODY><P>There is, you clear the xlate, but this never worked when I tried it. It seemed to always be that the NAT process wouldn't start unless it had been enabled from boot. I can only assume it is part of the way the code is made and it must boot with the box. Then again, it could have been just multiple flukes, but I suspect it is an actual issue with how the code loads on the ASA. Best bet would be to just save the config and do a quick reboot, really doesn't hurt much considering it doesn't work right now anyway. I never tried, but you can probably check the CPU processes and look for something related to NAT, although it may be stuck under an IP process of some sort, therefore not transparent.</P></BODY></HTML> Tue, 21 Feb 2012 17:19:33 GMT https://community.cisco.com/t5/network-security/dynamic-nat-on-asa-8-2/m-p/1842032#M459202 Keith McElroy 2012-02-21T17:19:33Z