Re: 5506 1-to-1 NATing doesn't work when internal host is on a sub-interface

Dean Romanelli · ‎08-07-2018

The below does not work. Can't even ping the public address (.196). But if I change the test to make the source of the internal IP of the PBX an IP on vlan 1 (192.168.7.x) which is not sub-interfaced, I have no problems. Is this a 5506 bug or am I doing something wrong?

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 170.xx.xx.197 255.255.255.248
!
interface GigabitEthernet1/3
description To_HP_V1910-48G_Switch
nameif inside
security-level 100
ip address 192.168.7.254 255.255.255.0
!
interface GigabitEthernet1/3.3
vlan 3
nameif VOIP
security-level 100
ip address 192.168.9.1 255.255.255.0

object network Avaya_IP_PBX-PRI
host 192.168.9.11

object network Avaya_IP_PBX-PRI
nat (VOIP,outside) static 170.xx.xx.196

Rahul Govindan · ‎08-07-2018

I am assuming that the connection between the ASA and switch on G1/3 is a trunk on the switch side. Are you tagging the traffic with vlan 3 on this trunk? Looks like untagged traffic (vlan1) is working fine so the port may be configured incorrectly on the switch.

Dean Romanelli · ‎08-08-2018

So the interesting thing I probably should have mentioned with this is that once the NAT is in place, the SIP traffic flows fine. It is the RTP UDP traffic that fails. So although the PBX cannot be accessed on the internet from a ping standpoint, it is at least talking on TCP, which is odd.

Dean Romanelli · ‎08-08-2018

I believe the issue is unidirectional traffic. I will have them check the switchport configs. Thank you.