topic Cannot get packets from NAT'ed int to Internet! in Network Security https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799502#M531941 <HTML><HEAD></HEAD><BODY><P>Update: I returned to work the next day and added ICMP to the inpect policy. No ICMP packets returned. I did find something interesting- in a test to a server my buddy hosts, I attempted several RDP connections, and asked him to check his logs. <STRONG>HE SAW THE CONNECTION REQUESTS HIT HIS SERVER! </STRONG>Also, after learning about packet-trace, I saw that ICMP creates a flow, gets past the ACL's and picks up the global address, so <STRONG>ICMP IS GETTING OUT</STRONG>. I made a lame attempt at packet capture. I could see the return packets return to the outside interface but no egress match- weird. For that, I believe I had just set up the capture incorrectly. But odd that the packets were hitting the outside interface on the return.</P><P></P><P>Before I left for the day, I had stripped the IP set up for the management interface, as it was only syncing at half duplex and 100 Mb/s. I returned to the original sub-interface set up I had. AND, I tested that I was seeing the same condition with this set up- packets outbound good but no return packets to my host. How can I see where exactly the packet is dropped in the firewall or if it's getting that far (maybe the router in front of the ASA is blocking it)? New config attached...</P><P></P><P>===================================================================================</P><P></P><P>svc-ASA# sho config</P><P>: Saved</P><P>: Written by enable_15 at 13:29:35.636 EDT Thu Sep 1 2011</P><P>!</P><P>ASA Version 8.2(1)</P><P>!</P><P>hostname svc-ASA</P><P>domain-name dns.domain.com</P><P>enable password yB8aikWYtWXF7HR/ encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 69.147.114.210 </P><P><A href="http://www.yahoo.com">www.yahoo.com</A> </P><P></P><P>dns-guard</P><P>!</P><P>interface GigabitEthernet0/0</P><P> description Ethernet to 3825 router (internet gateway)</P><P> speed 1000</P><P> duplex full</P><P> nameif outside</P><P> security-level 0</P><P> ip address x.x.244.50 255.255.255.248</P><P>!</P><P>interface GigabitEthernet0/1</P><P> description ADMIN servers</P><P> speed 1000</P><P> duplex full</P><P> nameif admin</P><P> security-level 96</P><P> ip address x.x.227.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/1.60</P><P> vlan 60</P><P> nameif VLAN60</P><P> security-level 100</P><P> ip address 172.31.1.10 255.255.0.0</P><P>!</P><P>interface GigabitEthernet0/2</P><P> description Employee access</P><P> speed 1000</P><P> duplex full</P><P> nameif inside</P><P> security-level 75</P><P> ip address 10.0.0.10 255.0.0.0</P><P>!</P><P>interface GigabitEthernet0/3</P><P> description Routable IP pool</P><P> speed 1000</P><P> duplex full</P><P> nameif Admin2</P><P> security-level 98</P><P> ip address x.x.246.1 255.255.254.0</P><P>!</P><P>interface Management0/0</P><P> speed 100</P><P> duplex half</P><P> no nameif</P><P> security-level 100</P><P> no ip address</P><P> management-only</P><P>!</P><P>boot system disk0:/asa821-k8.bin</P><P>boot system disk0:/asdm-623.bin</P><P>ftp mode passive</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>dns server-group DefaultDNS</P><P> domain-name dns.domain.com</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group protocol DM_INLINE_PROTOCOL_1</P><P> protocol-object ip</P><P> protocol-object udp</P><P> protocol-object tcp</P><P> protocol-object icmp</P><P>object-group protocol DM_INLINE_PROTOCOL_2</P><P> protocol-object ip</P><P> protocol-object udp</P><P> protocol-object tcp</P><P> protocol-object icmp</P><P>object-group protocol DM_INLINE_PROTOCOL_3</P><P> protocol-object ip</P><P> protocol-object tcp</P><P>access-list employee_inbound extended permit ip any host x.x.227.9</P><P>access-list employee_inbound extended permit ip any host x.x.227.10</P><P>access-list employee_inbound extended permit ip any host x.x.227.221</P><P>access-list employee_inbound extended permit ip any host x.x.227.108</P><P>access-list employee_inbound extended permit tcp any any eq www</P><P>access-list employee_inbound extended permit ip any any</P><P>access-list employee_inbound extended permit ip any host x.x.227.29</P><P>access-list employee_inbound extended permit ip any host x.x.227.215</P><P>access-list employee_inbound extended permit ip any host x.x.227.223</P><P>access-list employee_inbound extended permit ip any host x.x.227.224</P><P>access-list employee_inbound extended permit ip any host x.x.227.8</P><P>access-list employee_inbound extended permit ip any host x.x.246.112</P><P>access-list employee_inbound extended permit tcp any any eq 3389</P><P>access-list employee_inbound remark New Wireless Admin permit to Wired Admin</P><P>access-list employee_inbound extended permit object-group DM_INLINE_PROTOCOL_2 Admin_172_Network 255.255.0.0 x.x.227.0 255.255.255.0</P><P>access-list employee_inbound extended permit tcp any any eq ldaps</P><P>access-list employee_inbound extended permit tcp any any eq smtp</P><P>access-list employee_inbound extended permit ip any host x.x.246.214</P><P>access-list employee_inbound extended permit ip any host x.x.227.13</P><P>access-list employee_inbound extended permit ip any host x.x.227.90</P><P>access-list employee_inbound extended permit ip any host x.x.227.7</P><P>access-list employee_inbound extended permit ip any host x.x.227.101</P><P>access-list employee_inbound extended permit tcp any any eq ssh</P><P>access-list employee_inbound extended permit ip any host x.x.244.49</P><P>access-list employee_inbound extended permit ip any host x.x.227.22</P><P>access-list employee_inbound extended permit ip any host x.x.244.51</P><P>access-list employee_inbound extended permit ip any host x.x.227.140</P><P>access-list employee_inbound extended permit tcp any any eq pop3</P><P>access-list employee_inbound extended permit ip any host x.x.227.37</P><P>access-list employee_inbound extended permit tcp any any eq 123</P><P>access-list employee_inbound extended permit tcp any any eq 3689</P><P>access-list employee_inbound extended permit udp any any eq 5353</P><P>access-list employee_inbound extended permit ip any host x.x.227.178</P><P>access-list employee_inbound extended permit ip any host x.x.246.44</P><P>access-list employee_inbound extended permit ip any host x.x.227.174</P><P>access-list employee_inbound extended permit ip any host x.x.246.33</P><P>access-list employee_inbound extended permit ip any host x.x.246.111</P><P>access-list employee_inbound extended permit tcp any any eq domain</P><P>access-list employee_inbound extended permit udp any any eq domain</P><P>access-list employee_inbound extended permit udp any any eq ntp</P><P>access-list employee_inbound extended permit tcp any any eq sip</P><P>access-list employee_inbound extended permit udp any any eq sip</P><P>access-list employee_inbound extended permit tcp any any eq 465</P><P>access-list employee_inbound extended permit ip any host x.x.227.49</P><P>access-list employee_inbound extended permit ip any host x.x.246.63</P><P>access-list employee_inbound extended permit ip any host x.x.246.110</P><P>access-list employee_inbound extended permit ip any host x.x.227.121</P><P>access-list employee_inbound extended permit tcp any any eq netbios-ssn</P><P>access-list employee_inbound extended permit tcp any any eq 445</P><P>access-list employee_inbound extended permit ip any host x.x.227.154</P><P>access-list employee_inbound extended permit ip any host 10.0.2.3</P><P>access-list employee_inbound extended permit ip any host x.x.227.41</P><P>access-list employee_inbound extended permit tcp any any eq pptp</P><P>access-list employee_inbound extended permit ip any host x.x.246.59</P><P>access-list employee_inbound extended deny ip any host 200.23.34.33</P><P>access-list employee_inbound extended permit ip any host x.x.227.217</P><P>access-list employee_inbound extended permit ip any host x.x.227.56</P><P>access-list employee_inbound extended permit ip any host x.x.227.156</P><P>access-list employee_inbound extended permit ip any host x.x.246.66</P><P>access-list employee_inbound extended permit ip any host x.x.227.30</P><P>access-list outside_inbound extended permit udp any host x.x.227.10 eq domain</P><P>access-list outside_inbound extended permit tcp any host x.x.227.221 eq www</P><P>access-list outside_inbound extended permit ip any host x.x.227.18</P><P>access-list outside_inbound extended permit icmp any any</P><P>access-list outside_inbound extended permit ip any host x.x.227.17</P><P>access-list outside_inbound extended permit ip any host x.x.227.220</P><P>access-list outside_inbound extended permit ip any host x.x.227.222</P><P>access-list outside_inbound extended permit ip any host x.x.227.223</P><P>access-list outside_inbound extended permit ip any host x.x.227.225</P><P>access-list outside_inbound extended permit ip any host x.x.227.253</P><P>access-list outside_inbound extended permit ip any host x.x.227.45</P><P>access-list outside_inbound extended permit ip any host x.x.227.46</P><P>access-list outside_inbound extended permit ip any host x.x.227.47</P><P>access-list outside_inbound extended permit ip any host x.x.227.48</P><P>access-list outside_inbound extended permit ip any host x.x.227.49</P><P>access-list outside_inbound extended permit ip any host x.x.227.50</P><P>access-list outside_inbound extended permit ip any host x.x.227.51</P><P>access-list outside_inbound extended permit ip any host x.x.227.52</P><P>access-list outside_inbound extended permit ip any host x.x.227.53</P><P>access-list outside_inbound extended permit ip any host x.x.227.54</P><P>access-list outside_inbound extended permit ip any host x.x.227.55</P><P>access-list outside_inbound extended permit ip any host x.x.227.56</P><P>access-list outside_inbound extended permit ip any host x.x.227.57</P><P>access-list outside_inbound extended permit ip any host x.x.227.58</P><P>access-list outside_inbound extended permit ip any host x.x.227.59</P><P>access-list outside_inbound extended permit ip any host x.x.227.60</P><P>access-list outside_inbound extended permit ip any host x.x.227.61</P><P>access-list outside_inbound extended permit ip any host x.x.227.62</P><P>access-list outside_inbound extended permit ip any host x.x.227.63</P><P>access-list outside_inbound extended permit ip any host x.x.227.64</P><P>access-list outside_inbound extended permit ip any host x.x.227.65</P><P>access-list outside_inbound extended permit ip any host x.x.227.202</P><P>access-list outside_inbound extended permit ip any host x.x.227.108</P><P>access-list outside_inbound extended permit tcp any any eq ftp</P><P>access-list outside_inbound extended permit ip any host x.x.227.5</P><P>access-list outside_inbound extended permit tcp any any eq ftp-data</P><P>access-list outside_inbound extended permit ip any host x.x.227.130</P><P>access-list outside_inbound extended permit udp any any eq 3389</P><P>access-list outside_inbound extended permit tcp any any eq 3128</P><P>access-list outside_inbound extended permit udp any any eq 3128</P><P>access-list outside_inbound extended permit ip any host x.x.227.8</P><P>access-list outside_inbound extended permit ip any host x.x.227.169</P><P>access-list outside_inbound extended permit tcp any any eq domain</P><P>access-list outside_inbound extended permit ip any host x.x.246.20</P><P>access-list outside_inbound extended permit ip any host x.x.227.215</P><P>access-list outside_inbound extended permit tcp any any eq https</P><P>access-list outside_inbound extended permit ip any host x.x.227.29</P><P>access-list outside_inbound extended permit tcp any any eq 5900</P><P>access-list outside_inbound extended permit tcp any any eq 5800</P><P>access-list outside_inbound extended permit tcp any any eq pcanywhere-data</P><P>access-list outside_inbound extended permit ip any host x.x.227.195</P><P>access-list outside_inbound extended permit tcp any any eq 2048</P><P>access-list outside_inbound extended permit ip any host x.x.246.112</P><P>access-list outside_inbound extended permit tcp any any eq 1688</P><P>access-list outside_inbound extended permit tcp any any eq pptp</P><P>access-list outside_inbound extended permit ip any host x.x.227.110</P><P>access-list outside_inbound extended permit ip any host x.x.227.167</P><P>access-list outside_inbound extended permit ip any host x.x.227.193</P><P>access-list outside_inbound extended permit ip any host x.x.227.188</P><P>access-list outside_inbound extended permit ip any host x.x.227.83</P><P>access-list outside_inbound extended permit ip any host x.x.227.89</P><P>access-list outside_inbound extended permit ip any host x.x.227.95</P><P>access-list outside_inbound extended permit ip any host x.x.227.153</P><P>access-list outside_inbound extended permit ip any host x.x.227.200</P><P>access-list outside_inbound extended deny tcp any any eq 7171</P><P>access-list outside_inbound extended permit ip any host x.x.227.138</P><P>access-list outside_inbound extended deny ip host 195.225.204.227 any</P><P>access-list outside_inbound extended deny ip host 195.225.205.97 any</P><P>access-list outside_inbound extended deny ip host 195.13.58.57 any</P><P>access-list outside_inbound extended deny ip host 193.13.58.57 any</P><P>access-list outside_inbound extended deny ip host 93.182.130.12 any</P><P>access-list outside_inbound extended permit tcp any any eq 135</P><P>access-list outside_inbound extended permit tcp any any eq ldaps</P><P>access-list outside_inbound extended permit ip any host x.x.227.98</P><P>access-list outside_inbound extended permit tcp any any eq smtp</P><P>access-list outside_inbound extended permit tcp any any eq ldap</P><P>access-list outside_inbound extended permit ip any host x.x.246.214</P><P>access-list outside_inbound extended permit ip any host x.x.227.13</P><P>access-list outside_inbound extended permit ip any host x.x.227.197</P><P>access-list outside_inbound extended permit ip any host x.x.227.90</P><P>access-list outside_inbound extended permit tcp any any eq 9101</P><P>access-list outside_inbound extended permit ip any host x.x.244.49</P><P>access-list outside_inbound extended permit tcp any any eq ssh</P><P>access-list outside_inbound extended permit ip any host x.x.227.22</P><P>access-list outside_inbound extended permit ip any host x.x.244.51</P><P>access-list outside_inbound extended permit ip any host x.x.227.140</P><P>access-list outside_inbound extended permit tcp any any eq pop3</P><P>access-list outside_inbound extended permit ip any host x.x.227.221</P><P>access-list outside_inbound extended permit ip any host x.x.227.37</P><P>access-list outside_inbound extended permit tcp any any eq 123</P><P>access-list outside_inbound extended permit tcp any any eq 3689</P><P>access-list outside_inbound extended permit udp any any eq 5353</P><P>access-list outside_inbound extended permit ip any host x.x.227.178</P><P>access-list outside_inbound extended permit ip any host x.x.246.44</P><P>access-list outside_inbound extended permit ip any host x.x.227.174</P><P>access-list outside_inbound extended permit ip any host x.x.246.33</P><P>access-list outside_inbound extended permit object-group DM_INLINE_PROTOCOL_3 any host x.x.246.111</P><P>access-list outside_inbound extended permit udp any any eq domain</P><P>access-list outside_inbound extended permit udp any any eq ntp</P><P>access-list outside_inbound extended permit tcp any any eq sip</P><P>access-list outside_inbound extended permit udp any any eq sip</P><P>access-list outside_inbound extended permit tcp any any eq 465</P><P>access-list outside_inbound extended permit ip any host x.x.246.63</P><P>access-list outside_inbound extended permit ip any host x.x.246.110</P><P>access-list outside_inbound extended permit ip any host x.x.227.121</P><P>access-list outside_inbound extended permit tcp any any eq netbios-ssn</P><P>access-list outside_inbound extended permit tcp any any eq 445</P><P>access-list outside_inbound extended permit ip any host x.x.226.154</P><P>access-list outside_inbound extended permit ip any host 10.0.2.3</P><P>access-list outside_inbound extended permit ip any host x.x.227.41</P><P>access-list outside_inbound extended permit ip any host x.x.246.59</P><P>access-list outside_inbound extended deny ip any host 200.23.34.33</P><P>access-list outside_inbound extended permit ip any host x.x.227.217</P><P>access-list outside_inbound extended permit ip any host x.x.227.156</P><P>access-list outside_inbound extended permit ip any host x.x.246.66</P><P>access-list outside_inbound extended permit ip any host x.x.227.30</P><P>access-list cap extended permit ip x.x.0.0 255.255.0.0 host x.x.227.18</P><P>access-list cap extended permit ip host x.x.227.18 x.x.0.0 255.255.0.0</P><P>access-list nonat-employee extended permit ip 10.0.0.0 255.0.0.0 x.x.227.0 255.255.255.0</P><P>access-list nonat-employee extended permit ip x.x.246.0 255.255.254.0 any</P><P>access-list check-ftp extended permit tcp any any eq ftp</P><P>access-list check-ftp extended permit ip any any</P><P>access-list check-ftp remark Permit from Wired Admin to Wireless Admin</P><P>access-list check-ftp extended permit object-group DM_INLINE_PROTOCOL_1 x.x.227.0 255.255.255.0 Admin_172_Network 255.255.0.0</P><P>access-list employee-inbound extended permit tcp any any eq 135</P><P>access-list nonat-management extended permit ip 172.31.0.0 255.255.0.0 x.x.227.0 255.255.255.0</P><P>access-list nonat-management extended permit ip x.x.246.0 255.255.254.0 any</P><P>access-list VLAN60_access extended permit ip any any</P><P>access-list testcap extended permit ip host <TESTSERVER_IP_ON_NET> host x.x.246.200</TESTSERVER_IP_ON_NET></P><P>access-list testcap_ingress extended permit ip any host <TESTSERVER_IP_ON_NET></TESTSERVER_IP_ON_NET></P><P>pager lines 24</P><P>logging enable...</P><P>nat-control</P><P>global (outside) 1 x.x.246.200</P><P>nat (admin) 2 x.x.227.0 255.255.255.0</P><P>nat (admin) 3 x.x.246.0 255.255.254.0</P><P>nat (admin) 1 10.0.0.0 255.0.0.0</P><P>nat (inside) 0 access-list nonat-employee</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (Admin2) 0 access-list nonat-employee</P><P>nat (Admin2) 1 0.0.0.0 0.0.0.0</P><P>nat (VLAN60) 0 access-list nonat-management</P><P>nat (VLAN60) 1 172.31.0.0 255.255.0.0</P><P>static (admin,outside) x.x.227.0 x.x.227.0 netmask 255.255.255.0</P><P>static (admin,inside) x.x.227.10 x.x.227.10 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.9 x.x.227.9 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.221 x.x.227.221 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.17 x.x.227.17 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.55 x.x.227.55 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.11 x.x.227.11 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.134 x.x.227.134 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.160 x.x.227.160 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.169 x.x.227.169 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.148 x.x.227.148 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.40 x.x.227.40 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.91 x.x.227.91 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.19 x.x.227.19 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.220 x.x.227.220 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.222 x.x.227.222 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.223 x.x.227.223 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.225 x.x.227.225 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.253 x.x.227.253 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.45 x.x.227.45 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.46 x.x.227.46 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.47 x.x.227.47 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.48 x.x.227.48 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.49 x.x.227.49 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.50 x.x.227.50 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.51 x.x.227.51 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.52 x.x.227.52 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.53 x.x.227.53 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.54 x.x.227.54 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.56 x.x.227.56 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.57 x.x.227.57 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.58 x.x.227.58 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.59 x.x.227.59 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.60 x.x.227.60 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.61 x.x.227.61 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.62 x.x.227.62 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.63 x.x.227.63 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.64 x.x.227.64 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.65 x.x.227.65 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.12 x.x.227.12 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.13 x.x.227.13 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.8 x.x.227.8 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.130 x.x.227.130 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.29 x.x.227.29 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.215 x.x.227.215 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.224 x.x.227.224 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.112 x.x.246.112 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.195 x.x.227.195 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.153 x.x.227.153 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.214 x.x.227.214 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.7 x.x.227.7 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.179 x.x.227.179 netmask 255.255.255.255</P><P>static (admin,inside) 10.0.2.2 10.0.2.2 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.98 x.x.227.98 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.140 x.x.227.140 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.214 x.x.246.214 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.90 x.x.227.90 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.101 x.x.227.101 netmask 255.255.255.255</P><P>static (admin,inside) x.x.244.49 x.x.244.49 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.22 x.x.227.22 netmask 255.255.255.255</P><P>static (admin,inside) x.x.244.51 x.x.244.51 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.37 x.x.227.37 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.178 x.x.227.178 netmask 255.255.255.255</P><P>static (admin,inside) x.x.224.111 x.x.226.111 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.44 x.x.246.44 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.174 x.x.227.174 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.33 x.x.246.33 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.111 x.x.246.111 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.121 x.x.227.121 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.154 x.x.227.154 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.41 x.x.227.41 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.59 x.x.246.59 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.217 x.x.227.217 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.156 x.x.227.156 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.66 x.x.246.66 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.30 x.x.227.30 netmask 255.255.255.255</P><P>access-group outside_inbound in interface outside</P><P>access-group check-ftp in interface admin</P><P>access-group employee_inbound in interface inside</P><P>access-group VLAN60_access in interface VLAN60</P><P>route outside 0.0.0.0 0.0.0.0 x.x.244.51 1</P><P>bunch of stuff about telnet, http, blah blah...</P><P>console timeout 0</P><P>management-access outside</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map csc</P><P> match access-list csc</P><P>!</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect xdmcp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect tftp</P><P>&nbsp; inspect http</P><P>&nbsp; inspect ils</P><P> class csc</P><P>&nbsp; csc fail-open</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>Cryptochecksum:7072c6d2d3de5da86a940965d975df79</P></BODY></HTML> Thu, 15 Sep 2011 10:50:31 GMT gregdzurinda 2011-09-15T10:50:31Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799492#M531925 <P>I have an ASA firewall (IOS 8.2) on which I am trying to configure an additional NAT'ed interface off the management port. Frowned upon, I know, but I have removed the management-only option, and I know this can and has worked in other environments </P><P></P><P>interface management 0/0 ("VLAN60") is the interface through which I am trying to move traffic out the "outside" interface and to the Internet. It can ping the servers behind the "Admin" interface (those are support servers- DNS, etc.).</P><P></P><P>interface "inside" is working, and it is how employees access the Internet now.</P><P></P><P>I expected interface "VLAN60" to work the same way as "inside." Why is this not the case?! (Banging my head against the wall...)</P><P></P><P>When I ping an outside IP address, I see my IP (172.31.0.1) in the xlate table, AND I see this in the log:</P><P>%ASA-6-302020: Built outbound ICMP connection for faddr 66.161.x.x/0 gaddr x.x.246.200/26927 laddr 172.31.0.1/1 </P><P></P><P>Config attached...</P><P></P> Mon, 11 Mar 2019 21:19:56 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799492#M531925 gregdzurinda 2019-03-11T21:19:56Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799493#M531927 <HTML><HEAD></HEAD><BODY><P>Config looks perfect as advised.</P><P></P><P>You might want to add the following icmp inspection if you test with ping:</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect icmp</P><P></P><P>Are you able to test with any other application? maybe telnet, http, ftp from VLAN60 interface outbound to the Internet?</P></BODY></HTML> Fri, 02 Sep 2011 00:05:57 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799493#M531927 Jennifer Halim 2011-09-02T00:05:57Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799494#M531929 <HTML><HEAD></HEAD><BODY><P>I should add that- that will be a start. However, why is it that 10.0.0.0 on interface "inside" is able to ping and get replies from outside? I thought there must be something I am missing/stepping on in the NAT config or that the access-lists aren't applied properly. I had suspected that ICMP was getting out but the reply packets were not returning. Are you sure everything looks good with NAT? Seems pretty straight forward to me- I just tried to mimic how translation was being done for the 10.0.0.0 network with necessary adjustments of course.</P></BODY></HTML> Fri, 02 Sep 2011 00:28:38 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799494#M531929 gregdzurinda 2011-09-02T00:28:38Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799495#M531932 <HTML><HEAD></HEAD><BODY><P>From the log output, it looks to be correctly NATed to "gaddr x.x.246.200", so NAT is correct.</P><P></P><P>You do have NAT exemption configured for VLAN60 and NAT exemption takes precedence over the dynamic NAT, but I don't see that the access-list matches the traffic that you are trying to send to the internet. Please double check as the full subnet was not provided so i can't check.</P><P></P><P>nat (VLAN60) 0 access-list nonat-management</P><P>access-list nonat-management extended permit ip 172.31.0.0 255.255.0.0 x.x.227.0 255.255.255.0</P><P>access-list nonat-management extended permit ip x.x.246.0 255.255.254.0 any</P></BODY></HTML> Fri, 02 Sep 2011 00:33:07 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799495#M531932 Jennifer Halim 2011-09-02T00:33:07Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799496#M531933 <HTML><HEAD></HEAD><BODY><P> and one thing I don't understand...(I am an integrator stepping in to this, so most of these configs were already in the fw when I stepped in) is these statements:</P><P></P><P>nat-control</P><P>global (outside) 1 x.x.246.200</P><P><STRONG>nat (admin) 2 x.x.227.0 255.255.255.0</STRONG></P><P><STRONG>nat (admin) 3 x.x.246.0 255.255.254.0</STRONG></P><P><STRONG>nat (admin) 1 10.0.0.0 255.0.0.0</STRONG></P><P>nat (VLAN60) 0 access-list nonat-management</P><P>nat (VLAN60) 1 172.31.0.0 255.255.0.0</P><P>nat (inside) 0 access-list nonat-employee</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (Admin2) 0 access-list nonat-employee</P><P>nat (Admin2) 1 0.0.0.0 0.0.0.0<SPAN id="mce_marker"> </SPAN></P><P>nat-control</P><P>global (outside) 1 x.x.246.200</P><P>nat (admin) 2 x.x.227.0 255.255.255.0</P><P>nat (admin) 3 x.x.246.0 255.255.254.0</P><P>nat (admin) 1 10.0.0.0 255.0.0.0</P><P>nat (VLAN60) 0 access-list nonat-management</P><P>nat (VLAN60) 1 172.31.0.0 255.255.0.0</P><P>nat (inside) 0 access-list nonat-employee</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (Admin2) 0 access-list nonat-employee</P><P>nat (Admin2) 1 0.0.0.0 0.0.0.0</P><P></P><P>why is the NAT source in the above statements interface "admin"? Only the .227 is configured on the "Admin" interface. The 10.0.0.0 is assigned to "inside", and the .246 net is assigned to the "admin2" interface. I suspect the (admin) translations for the 246 and 227 subnets aren't even getting hits since the NAT ID doesn't match the global. But they are not RFC 1918 addresses, so they get through the outside interface.</P></BODY></HTML> Fri, 02 Sep 2011 00:54:37 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799496#M531933 gregdzurinda 2011-09-02T00:54:37Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799497#M531936 <HTML><HEAD></HEAD><BODY><P>Yes, that seems to be misconfiguration, and even .227 that has been correctly identified on "Admin" interface will not work because the NAT identifier is "2", and there is no matching global identifier "2". So none of the NAT on the "admin" interface will work at this stage.</P><P></P><P>The following is clearly incorrect as you mention:</P><P><STRONG>nat (admin) 3 x.x.246.0 255.255.254.0</STRONG></P><P><STRONG>nat (admin) 1 10.0.0.0 255.0.0.0</STRONG></P><P></P><P>And the following:</P><P><STRONG>nat (admin) 2 x.x.227.0 255.255.255.0</STRONG></P><P>needs to be changed to:</P><P><STRONG>nat (admin) 1 x.x.227.0 255.255.255.0</STRONG></P></BODY></HTML> Fri, 02 Sep 2011 01:06:20 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799497#M531936 Jennifer Halim 2011-09-02T01:06:20Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799498#M531937 <HTML><HEAD></HEAD><BODY><P>I definitely double-checked that one Jennifer. Thanks for your replies by the way. The exemption definitely does not include the scope or traffic I do want NAT'ed.</P></BODY></HTML> Fri, 02 Sep 2011 01:27:39 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799498#M531937 gregdzurinda 2011-09-02T01:27:39Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799499#M531938 <HTML><HEAD></HEAD><BODY><P>Great, thanks for the update.</P><P>Is ping working now from VLAN60?</P><P>Try to ping the outside interface next hop and see if that replies.</P><P>Otherwise, run a packet capture on the outside interface and see if the ASA is getting a reply.</P></BODY></HTML> Fri, 02 Sep 2011 01:37:10 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799499#M531938 Jennifer Halim 2011-09-02T01:37:10Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799500#M531939 <HTML><HEAD></HEAD><BODY><P> I did forget to mention that the 227 and 246.0/23 are routable IP's. That's why I was thinking those configs aren't doing anything. I can probably cut these 3 statements out:</P><P></P><P>nat (admin) 2 x.x.227.0 255.255.255.0</P><P>nat (admin) 3 x.x.246.0 255.255.254.0</P><P>nat (admin) 1 10.0.0.0 255.0.0.0 #### redundant since another entry matching global NAT ID a few lines down.</P><P></P><P>Still, those don't have any bearing on why 172.31. has no access to the Internet.</P><P></P><P>I need to add ICMP inspect for sure.</P><P></P><P>I may need to step through the access-lists and add a permit ip any any to the interface "VLAN60" - but which direction?- out? and I being that the security-level of this "VLAN60" interface is 100, I should be able to RDP with no issues, correct? x.x.227.0 servers can RDP to outside servers with no problem.</P></BODY></HTML> Fri, 02 Sep 2011 01:41:14 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799500#M531939 gregdzurinda 2011-09-02T01:41:14Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799501#M531940 <HTML><HEAD></HEAD><BODY><P> Sadly, I have to wait until tomorrow morning to add ICMP to the inspect policy.</P></BODY></HTML> Fri, 02 Sep 2011 01:42:38 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799501#M531940 gregdzurinda 2011-09-02T01:42:38Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799502#M531941 <HTML><HEAD></HEAD><BODY><P>Update: I returned to work the next day and added ICMP to the inpect policy. No ICMP packets returned. I did find something interesting- in a test to a server my buddy hosts, I attempted several RDP connections, and asked him to check his logs. <STRONG>HE SAW THE CONNECTION REQUESTS HIT HIS SERVER! </STRONG>Also, after learning about packet-trace, I saw that ICMP creates a flow, gets past the ACL's and picks up the global address, so <STRONG>ICMP IS GETTING OUT</STRONG>. I made a lame attempt at packet capture. I could see the return packets return to the outside interface but no egress match- weird. For that, I believe I had just set up the capture incorrectly. But odd that the packets were hitting the outside interface on the return.</P><P></P><P>Before I left for the day, I had stripped the IP set up for the management interface, as it was only syncing at half duplex and 100 Mb/s. I returned to the original sub-interface set up I had. AND, I tested that I was seeing the same condition with this set up- packets outbound good but no return packets to my host. How can I see where exactly the packet is dropped in the firewall or if it's getting that far (maybe the router in front of the ASA is blocking it)? New config attached...</P><P></P><P>===================================================================================</P><P></P><P>svc-ASA# sho config</P><P>: Saved</P><P>: Written by enable_15 at 13:29:35.636 EDT Thu Sep 1 2011</P><P>!</P><P>ASA Version 8.2(1)</P><P>!</P><P>hostname svc-ASA</P><P>domain-name dns.domain.com</P><P>enable password yB8aikWYtWXF7HR/ encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 69.147.114.210 </P><P><A href="http://www.yahoo.com">www.yahoo.com</A> </P><P></P><P>dns-guard</P><P>!</P><P>interface GigabitEthernet0/0</P><P> description Ethernet to 3825 router (internet gateway)</P><P> speed 1000</P><P> duplex full</P><P> nameif outside</P><P> security-level 0</P><P> ip address x.x.244.50 255.255.255.248</P><P>!</P><P>interface GigabitEthernet0/1</P><P> description ADMIN servers</P><P> speed 1000</P><P> duplex full</P><P> nameif admin</P><P> security-level 96</P><P> ip address x.x.227.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/1.60</P><P> vlan 60</P><P> nameif VLAN60</P><P> security-level 100</P><P> ip address 172.31.1.10 255.255.0.0</P><P>!</P><P>interface GigabitEthernet0/2</P><P> description Employee access</P><P> speed 1000</P><P> duplex full</P><P> nameif inside</P><P> security-level 75</P><P> ip address 10.0.0.10 255.0.0.0</P><P>!</P><P>interface GigabitEthernet0/3</P><P> description Routable IP pool</P><P> speed 1000</P><P> duplex full</P><P> nameif Admin2</P><P> security-level 98</P><P> ip address x.x.246.1 255.255.254.0</P><P>!</P><P>interface Management0/0</P><P> speed 100</P><P> duplex half</P><P> no nameif</P><P> security-level 100</P><P> no ip address</P><P> management-only</P><P>!</P><P>boot system disk0:/asa821-k8.bin</P><P>boot system disk0:/asdm-623.bin</P><P>ftp mode passive</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>dns server-group DefaultDNS</P><P> domain-name dns.domain.com</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group protocol DM_INLINE_PROTOCOL_1</P><P> protocol-object ip</P><P> protocol-object udp</P><P> protocol-object tcp</P><P> protocol-object icmp</P><P>object-group protocol DM_INLINE_PROTOCOL_2</P><P> protocol-object ip</P><P> protocol-object udp</P><P> protocol-object tcp</P><P> protocol-object icmp</P><P>object-group protocol DM_INLINE_PROTOCOL_3</P><P> protocol-object ip</P><P> protocol-object tcp</P><P>access-list employee_inbound extended permit ip any host x.x.227.9</P><P>access-list employee_inbound extended permit ip any host x.x.227.10</P><P>access-list employee_inbound extended permit ip any host x.x.227.221</P><P>access-list employee_inbound extended permit ip any host x.x.227.108</P><P>access-list employee_inbound extended permit tcp any any eq www</P><P>access-list employee_inbound extended permit ip any any</P><P>access-list employee_inbound extended permit ip any host x.x.227.29</P><P>access-list employee_inbound extended permit ip any host x.x.227.215</P><P>access-list employee_inbound extended permit ip any host x.x.227.223</P><P>access-list employee_inbound extended permit ip any host x.x.227.224</P><P>access-list employee_inbound extended permit ip any host x.x.227.8</P><P>access-list employee_inbound extended permit ip any host x.x.246.112</P><P>access-list employee_inbound extended permit tcp any any eq 3389</P><P>access-list employee_inbound remark New Wireless Admin permit to Wired Admin</P><P>access-list employee_inbound extended permit object-group DM_INLINE_PROTOCOL_2 Admin_172_Network 255.255.0.0 x.x.227.0 255.255.255.0</P><P>access-list employee_inbound extended permit tcp any any eq ldaps</P><P>access-list employee_inbound extended permit tcp any any eq smtp</P><P>access-list employee_inbound extended permit ip any host x.x.246.214</P><P>access-list employee_inbound extended permit ip any host x.x.227.13</P><P>access-list employee_inbound extended permit ip any host x.x.227.90</P><P>access-list employee_inbound extended permit ip any host x.x.227.7</P><P>access-list employee_inbound extended permit ip any host x.x.227.101</P><P>access-list employee_inbound extended permit tcp any any eq ssh</P><P>access-list employee_inbound extended permit ip any host x.x.244.49</P><P>access-list employee_inbound extended permit ip any host x.x.227.22</P><P>access-list employee_inbound extended permit ip any host x.x.244.51</P><P>access-list employee_inbound extended permit ip any host x.x.227.140</P><P>access-list employee_inbound extended permit tcp any any eq pop3</P><P>access-list employee_inbound extended permit ip any host x.x.227.37</P><P>access-list employee_inbound extended permit tcp any any eq 123</P><P>access-list employee_inbound extended permit tcp any any eq 3689</P><P>access-list employee_inbound extended permit udp any any eq 5353</P><P>access-list employee_inbound extended permit ip any host x.x.227.178</P><P>access-list employee_inbound extended permit ip any host x.x.246.44</P><P>access-list employee_inbound extended permit ip any host x.x.227.174</P><P>access-list employee_inbound extended permit ip any host x.x.246.33</P><P>access-list employee_inbound extended permit ip any host x.x.246.111</P><P>access-list employee_inbound extended permit tcp any any eq domain</P><P>access-list employee_inbound extended permit udp any any eq domain</P><P>access-list employee_inbound extended permit udp any any eq ntp</P><P>access-list employee_inbound extended permit tcp any any eq sip</P><P>access-list employee_inbound extended permit udp any any eq sip</P><P>access-list employee_inbound extended permit tcp any any eq 465</P><P>access-list employee_inbound extended permit ip any host x.x.227.49</P><P>access-list employee_inbound extended permit ip any host x.x.246.63</P><P>access-list employee_inbound extended permit ip any host x.x.246.110</P><P>access-list employee_inbound extended permit ip any host x.x.227.121</P><P>access-list employee_inbound extended permit tcp any any eq netbios-ssn</P><P>access-list employee_inbound extended permit tcp any any eq 445</P><P>access-list employee_inbound extended permit ip any host x.x.227.154</P><P>access-list employee_inbound extended permit ip any host 10.0.2.3</P><P>access-list employee_inbound extended permit ip any host x.x.227.41</P><P>access-list employee_inbound extended permit tcp any any eq pptp</P><P>access-list employee_inbound extended permit ip any host x.x.246.59</P><P>access-list employee_inbound extended deny ip any host 200.23.34.33</P><P>access-list employee_inbound extended permit ip any host x.x.227.217</P><P>access-list employee_inbound extended permit ip any host x.x.227.56</P><P>access-list employee_inbound extended permit ip any host x.x.227.156</P><P>access-list employee_inbound extended permit ip any host x.x.246.66</P><P>access-list employee_inbound extended permit ip any host x.x.227.30</P><P>access-list outside_inbound extended permit udp any host x.x.227.10 eq domain</P><P>access-list outside_inbound extended permit tcp any host x.x.227.221 eq www</P><P>access-list outside_inbound extended permit ip any host x.x.227.18</P><P>access-list outside_inbound extended permit icmp any any</P><P>access-list outside_inbound extended permit ip any host x.x.227.17</P><P>access-list outside_inbound extended permit ip any host x.x.227.220</P><P>access-list outside_inbound extended permit ip any host x.x.227.222</P><P>access-list outside_inbound extended permit ip any host x.x.227.223</P><P>access-list outside_inbound extended permit ip any host x.x.227.225</P><P>access-list outside_inbound extended permit ip any host x.x.227.253</P><P>access-list outside_inbound extended permit ip any host x.x.227.45</P><P>access-list outside_inbound extended permit ip any host x.x.227.46</P><P>access-list outside_inbound extended permit ip any host x.x.227.47</P><P>access-list outside_inbound extended permit ip any host x.x.227.48</P><P>access-list outside_inbound extended permit ip any host x.x.227.49</P><P>access-list outside_inbound extended permit ip any host x.x.227.50</P><P>access-list outside_inbound extended permit ip any host x.x.227.51</P><P>access-list outside_inbound extended permit ip any host x.x.227.52</P><P>access-list outside_inbound extended permit ip any host x.x.227.53</P><P>access-list outside_inbound extended permit ip any host x.x.227.54</P><P>access-list outside_inbound extended permit ip any host x.x.227.55</P><P>access-list outside_inbound extended permit ip any host x.x.227.56</P><P>access-list outside_inbound extended permit ip any host x.x.227.57</P><P>access-list outside_inbound extended permit ip any host x.x.227.58</P><P>access-list outside_inbound extended permit ip any host x.x.227.59</P><P>access-list outside_inbound extended permit ip any host x.x.227.60</P><P>access-list outside_inbound extended permit ip any host x.x.227.61</P><P>access-list outside_inbound extended permit ip any host x.x.227.62</P><P>access-list outside_inbound extended permit ip any host x.x.227.63</P><P>access-list outside_inbound extended permit ip any host x.x.227.64</P><P>access-list outside_inbound extended permit ip any host x.x.227.65</P><P>access-list outside_inbound extended permit ip any host x.x.227.202</P><P>access-list outside_inbound extended permit ip any host x.x.227.108</P><P>access-list outside_inbound extended permit tcp any any eq ftp</P><P>access-list outside_inbound extended permit ip any host x.x.227.5</P><P>access-list outside_inbound extended permit tcp any any eq ftp-data</P><P>access-list outside_inbound extended permit ip any host x.x.227.130</P><P>access-list outside_inbound extended permit udp any any eq 3389</P><P>access-list outside_inbound extended permit tcp any any eq 3128</P><P>access-list outside_inbound extended permit udp any any eq 3128</P><P>access-list outside_inbound extended permit ip any host x.x.227.8</P><P>access-list outside_inbound extended permit ip any host x.x.227.169</P><P>access-list outside_inbound extended permit tcp any any eq domain</P><P>access-list outside_inbound extended permit ip any host x.x.246.20</P><P>access-list outside_inbound extended permit ip any host x.x.227.215</P><P>access-list outside_inbound extended permit tcp any any eq https</P><P>access-list outside_inbound extended permit ip any host x.x.227.29</P><P>access-list outside_inbound extended permit tcp any any eq 5900</P><P>access-list outside_inbound extended permit tcp any any eq 5800</P><P>access-list outside_inbound extended permit tcp any any eq pcanywhere-data</P><P>access-list outside_inbound extended permit ip any host x.x.227.195</P><P>access-list outside_inbound extended permit tcp any any eq 2048</P><P>access-list outside_inbound extended permit ip any host x.x.246.112</P><P>access-list outside_inbound extended permit tcp any any eq 1688</P><P>access-list outside_inbound extended permit tcp any any eq pptp</P><P>access-list outside_inbound extended permit ip any host x.x.227.110</P><P>access-list outside_inbound extended permit ip any host x.x.227.167</P><P>access-list outside_inbound extended permit ip any host x.x.227.193</P><P>access-list outside_inbound extended permit ip any host x.x.227.188</P><P>access-list outside_inbound extended permit ip any host x.x.227.83</P><P>access-list outside_inbound extended permit ip any host x.x.227.89</P><P>access-list outside_inbound extended permit ip any host x.x.227.95</P><P>access-list outside_inbound extended permit ip any host x.x.227.153</P><P>access-list outside_inbound extended permit ip any host x.x.227.200</P><P>access-list outside_inbound extended deny tcp any any eq 7171</P><P>access-list outside_inbound extended permit ip any host x.x.227.138</P><P>access-list outside_inbound extended deny ip host 195.225.204.227 any</P><P>access-list outside_inbound extended deny ip host 195.225.205.97 any</P><P>access-list outside_inbound extended deny ip host 195.13.58.57 any</P><P>access-list outside_inbound extended deny ip host 193.13.58.57 any</P><P>access-list outside_inbound extended deny ip host 93.182.130.12 any</P><P>access-list outside_inbound extended permit tcp any any eq 135</P><P>access-list outside_inbound extended permit tcp any any eq ldaps</P><P>access-list outside_inbound extended permit ip any host x.x.227.98</P><P>access-list outside_inbound extended permit tcp any any eq smtp</P><P>access-list outside_inbound extended permit tcp any any eq ldap</P><P>access-list outside_inbound extended permit ip any host x.x.246.214</P><P>access-list outside_inbound extended permit ip any host x.x.227.13</P><P>access-list outside_inbound extended permit ip any host x.x.227.197</P><P>access-list outside_inbound extended permit ip any host x.x.227.90</P><P>access-list outside_inbound extended permit tcp any any eq 9101</P><P>access-list outside_inbound extended permit ip any host x.x.244.49</P><P>access-list outside_inbound extended permit tcp any any eq ssh</P><P>access-list outside_inbound extended permit ip any host x.x.227.22</P><P>access-list outside_inbound extended permit ip any host x.x.244.51</P><P>access-list outside_inbound extended permit ip any host x.x.227.140</P><P>access-list outside_inbound extended permit tcp any any eq pop3</P><P>access-list outside_inbound extended permit ip any host x.x.227.221</P><P>access-list outside_inbound extended permit ip any host x.x.227.37</P><P>access-list outside_inbound extended permit tcp any any eq 123</P><P>access-list outside_inbound extended permit tcp any any eq 3689</P><P>access-list outside_inbound extended permit udp any any eq 5353</P><P>access-list outside_inbound extended permit ip any host x.x.227.178</P><P>access-list outside_inbound extended permit ip any host x.x.246.44</P><P>access-list outside_inbound extended permit ip any host x.x.227.174</P><P>access-list outside_inbound extended permit ip any host x.x.246.33</P><P>access-list outside_inbound extended permit object-group DM_INLINE_PROTOCOL_3 any host x.x.246.111</P><P>access-list outside_inbound extended permit udp any any eq domain</P><P>access-list outside_inbound extended permit udp any any eq ntp</P><P>access-list outside_inbound extended permit tcp any any eq sip</P><P>access-list outside_inbound extended permit udp any any eq sip</P><P>access-list outside_inbound extended permit tcp any any eq 465</P><P>access-list outside_inbound extended permit ip any host x.x.246.63</P><P>access-list outside_inbound extended permit ip any host x.x.246.110</P><P>access-list outside_inbound extended permit ip any host x.x.227.121</P><P>access-list outside_inbound extended permit tcp any any eq netbios-ssn</P><P>access-list outside_inbound extended permit tcp any any eq 445</P><P>access-list outside_inbound extended permit ip any host x.x.226.154</P><P>access-list outside_inbound extended permit ip any host 10.0.2.3</P><P>access-list outside_inbound extended permit ip any host x.x.227.41</P><P>access-list outside_inbound extended permit ip any host x.x.246.59</P><P>access-list outside_inbound extended deny ip any host 200.23.34.33</P><P>access-list outside_inbound extended permit ip any host x.x.227.217</P><P>access-list outside_inbound extended permit ip any host x.x.227.156</P><P>access-list outside_inbound extended permit ip any host x.x.246.66</P><P>access-list outside_inbound extended permit ip any host x.x.227.30</P><P>access-list cap extended permit ip x.x.0.0 255.255.0.0 host x.x.227.18</P><P>access-list cap extended permit ip host x.x.227.18 x.x.0.0 255.255.0.0</P><P>access-list nonat-employee extended permit ip 10.0.0.0 255.0.0.0 x.x.227.0 255.255.255.0</P><P>access-list nonat-employee extended permit ip x.x.246.0 255.255.254.0 any</P><P>access-list check-ftp extended permit tcp any any eq ftp</P><P>access-list check-ftp extended permit ip any any</P><P>access-list check-ftp remark Permit from Wired Admin to Wireless Admin</P><P>access-list check-ftp extended permit object-group DM_INLINE_PROTOCOL_1 x.x.227.0 255.255.255.0 Admin_172_Network 255.255.0.0</P><P>access-list employee-inbound extended permit tcp any any eq 135</P><P>access-list nonat-management extended permit ip 172.31.0.0 255.255.0.0 x.x.227.0 255.255.255.0</P><P>access-list nonat-management extended permit ip x.x.246.0 255.255.254.0 any</P><P>access-list VLAN60_access extended permit ip any any</P><P>access-list testcap extended permit ip host <TESTSERVER_IP_ON_NET> host x.x.246.200</TESTSERVER_IP_ON_NET></P><P>access-list testcap_ingress extended permit ip any host <TESTSERVER_IP_ON_NET></TESTSERVER_IP_ON_NET></P><P>pager lines 24</P><P>logging enable...</P><P>nat-control</P><P>global (outside) 1 x.x.246.200</P><P>nat (admin) 2 x.x.227.0 255.255.255.0</P><P>nat (admin) 3 x.x.246.0 255.255.254.0</P><P>nat (admin) 1 10.0.0.0 255.0.0.0</P><P>nat (inside) 0 access-list nonat-employee</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (Admin2) 0 access-list nonat-employee</P><P>nat (Admin2) 1 0.0.0.0 0.0.0.0</P><P>nat (VLAN60) 0 access-list nonat-management</P><P>nat (VLAN60) 1 172.31.0.0 255.255.0.0</P><P>static (admin,outside) x.x.227.0 x.x.227.0 netmask 255.255.255.0</P><P>static (admin,inside) x.x.227.10 x.x.227.10 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.9 x.x.227.9 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.221 x.x.227.221 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.17 x.x.227.17 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.55 x.x.227.55 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.11 x.x.227.11 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.134 x.x.227.134 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.160 x.x.227.160 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.169 x.x.227.169 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.148 x.x.227.148 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.40 x.x.227.40 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.91 x.x.227.91 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.19 x.x.227.19 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.220 x.x.227.220 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.222 x.x.227.222 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.223 x.x.227.223 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.225 x.x.227.225 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.253 x.x.227.253 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.45 x.x.227.45 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.46 x.x.227.46 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.47 x.x.227.47 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.48 x.x.227.48 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.49 x.x.227.49 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.50 x.x.227.50 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.51 x.x.227.51 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.52 x.x.227.52 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.53 x.x.227.53 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.54 x.x.227.54 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.56 x.x.227.56 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.57 x.x.227.57 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.58 x.x.227.58 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.59 x.x.227.59 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.60 x.x.227.60 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.61 x.x.227.61 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.62 x.x.227.62 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.63 x.x.227.63 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.64 x.x.227.64 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.65 x.x.227.65 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.12 x.x.227.12 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.13 x.x.227.13 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.8 x.x.227.8 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.130 x.x.227.130 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.29 x.x.227.29 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.215 x.x.227.215 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.224 x.x.227.224 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.112 x.x.246.112 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.195 x.x.227.195 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.153 x.x.227.153 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.214 x.x.227.214 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.7 x.x.227.7 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.179 x.x.227.179 netmask 255.255.255.255</P><P>static (admin,inside) 10.0.2.2 10.0.2.2 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.98 x.x.227.98 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.140 x.x.227.140 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.214 x.x.246.214 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.90 x.x.227.90 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.101 x.x.227.101 netmask 255.255.255.255</P><P>static (admin,inside) x.x.244.49 x.x.244.49 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.22 x.x.227.22 netmask 255.255.255.255</P><P>static (admin,inside) x.x.244.51 x.x.244.51 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.37 x.x.227.37 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.178 x.x.227.178 netmask 255.255.255.255</P><P>static (admin,inside) x.x.224.111 x.x.226.111 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.44 x.x.246.44 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.174 x.x.227.174 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.33 x.x.246.33 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.111 x.x.246.111 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.121 x.x.227.121 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.154 x.x.227.154 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.41 x.x.227.41 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.59 x.x.246.59 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.217 x.x.227.217 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.156 x.x.227.156 netmask 255.255.255.255</P><P>static (admin,inside) x.x.246.66 x.x.246.66 netmask 255.255.255.255</P><P>static (admin,inside) x.x.227.30 x.x.227.30 netmask 255.255.255.255</P><P>access-group outside_inbound in interface outside</P><P>access-group check-ftp in interface admin</P><P>access-group employee_inbound in interface inside</P><P>access-group VLAN60_access in interface VLAN60</P><P>route outside 0.0.0.0 0.0.0.0 x.x.244.51 1</P><P>bunch of stuff about telnet, http, blah blah...</P><P>console timeout 0</P><P>management-access outside</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map csc</P><P> match access-list csc</P><P>!</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect xdmcp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect tftp</P><P>&nbsp; inspect http</P><P>&nbsp; inspect ils</P><P> class csc</P><P>&nbsp; csc fail-open</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>Cryptochecksum:7072c6d2d3de5da86a940965d975df79</P></BODY></HTML> Thu, 15 Sep 2011 10:50:31 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799502#M531941 gregdzurinda 2011-09-15T10:50:31Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799503#M531942 <HTML><HEAD></HEAD><BODY><P>What is the ASA g0/1 connected to? I assume it is a trunk port and vlan 60 is allowed through the trunk port? Also what is the native vlan configured on the switch for that trunk port?</P><P>It is also not recommended to mix physical and subinterface settings on 1 interface as configured.</P><P>I would suggest that you move the current physical interface settings on g0/1, to a subinterface and leave the physical interface settings unconfigured.</P><P></P><P>Also, your last config doesn't seem to have "inspect icmp" enabled.</P></BODY></HTML> Thu, 15 Sep 2011 22:22:42 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799503#M531942 Jennifer Halim 2011-09-15T22:22:42Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799504#M531943 <HTML><HEAD></HEAD><BODY><P> Sorry about that- somehow I missed that line in the "scrubbing." It is in the configs though- I verified it. It is most certainly a trunk port to which the firewall is conected (Cisco 4507), but I don't recall if the native VLAN is 60.</P><P>I know about that physical and sub-interface best practice. I have been told though, that this can be done. Also, you may remember, I was working at getting the mgmt interface up for this, and never could make it happen. Seems to be a common theme- something I am missing in the configs to allow the return packets on any int I try to get up! <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/sad.gif"></SPAN></P></BODY></HTML> Fri, 16 Sep 2011 00:37:02 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799504#M531943 gregdzurinda 2011-09-16T00:37:02Z Cannot get packets from NAT'ed int to Internet! https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799505#M531944 <HTML><HEAD></HEAD><BODY><P>Can you please share the output of packet tracer that you perform. That would give an indication if ASA is dropping anything.</P></BODY></HTML> Fri, 16 Sep 2011 00:43:50 GMT https://community.cisco.com/t5/network-security/cannot-get-packets-from-nat-ed-int-to-internet/m-p/1799505#M531944 Jennifer Halim 2011-09-16T00:43:50Z