topic ASA Static NAT in Network Security https://community.cisco.com/t5/network-security/asa-static-nat/m-p/1712893#M534548 <P>Hi,</P><P>I'm having a strange issue and appreciate if anyone have faced simillar issue and got some solution/workaround.</P><P>I have static nat (inside,outside) and allowed all the required ports accessing from outside via ACL applied on outisde interface in direction. firewall nat-control is enabled. when I tried packet tracer i got the attached output. (step 8, nat-exeception - Drop). However when I change the inside ip (which is already having static nat entry with outside, but just for testing) it worked..? I have required routing, gateway for inside server is the firewall inside, no any host routes in the inside server in question.</P><P>The issue I see here is that when ever you used new static entry it does not work..???? has anyone faced simillar problem and can get some idea..? </P><P>Attached file contain the relevant configuraiton and packet tracer output for working and non working IPs (working IP inside is 172.16.1.125 and non working ip is 172.28.1.196).</P><P>thanks</P> Mon, 11 Mar 2019 21:06:06 GMT pemasirid 2019-03-11T21:06:06Z ASA Static NAT https://community.cisco.com/t5/network-security/asa-static-nat/m-p/1712893#M534548 <P>Hi,</P><P>I'm having a strange issue and appreciate if anyone have faced simillar issue and got some solution/workaround.</P><P>I have static nat (inside,outside) and allowed all the required ports accessing from outside via ACL applied on outisde interface in direction. firewall nat-control is enabled. when I tried packet tracer i got the attached output. (step 8, nat-exeception - Drop). However when I change the inside ip (which is already having static nat entry with outside, but just for testing) it worked..? I have required routing, gateway for inside server is the firewall inside, no any host routes in the inside server in question.</P><P>The issue I see here is that when ever you used new static entry it does not work..???? has anyone faced simillar problem and can get some idea..? </P><P>Attached file contain the relevant configuraiton and packet tracer output for working and non working IPs (working IP inside is 172.16.1.125 and non working ip is 172.28.1.196).</P><P>thanks</P> Mon, 11 Mar 2019 21:06:06 GMT https://community.cisco.com/t5/network-security/asa-static-nat/m-p/1712893#M534548 pemasirid 2019-03-11T21:06:06Z ASA Static NAT https://community.cisco.com/t5/network-security/asa-static-nat/m-p/1712894#M534549 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The connection to 172.16.125.25 fails because of the NAT RPF check. This check requires that the forward flow (client -&gt; server) matches the same NAT rules as the reverse flow (server -&gt; client). You should double check your NAT rules and see which ones match for when 172.28.1.196 talks to 172.16.65.48. If you have trouble spotting the overlap, please share a sanitized copy of 'show run nat', 'show run global', and 'show run static'.</P><P></P><P>-Mike</P></BODY></HTML> Fri, 05 Aug 2011 15:25:28 GMT https://community.cisco.com/t5/network-security/asa-static-nat/m-p/1712894#M534549 mirober2 2011-08-05T15:25:28Z