04-01-2009 10:03 AM - edited 03-11-2019 08:13 AM
Reposting in a new thread since the old one seems to have died...
I'm migrating from a PIX 515 to an ASA 5520. The config was created using the PIX to ASA migration tool. The ASDM Packet Tracer shows outbound traffic failing due to NAT.
Config
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (199.216.81.20)
translate_hits = 971, untranslate_hits = 74
The old PIX config:
global (outside) 1 199.216.81.20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
The new ASA config:
global (outside) 1 199.216.81.20 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
Any thoughts on why it might be failing?
Rob
04-01-2009 10:10 AM
Try taking the netmask off of the global config. If your outside address is the one that you want to nat to, you can just put interface:
global (outside) 1 interface
nat (inside) 1 0 0
HTH,
John
04-01-2009 10:48 AM
04-01-2009 10:52 AM
In your screenshot it says that "flow is denied by configured rule." Do you have any acls on the inside interface?
04-01-2009 11:11 AM
Robert,
what about this?
!
no global (outside) 1 199.216.81.20 netmask 255.255.255.255
global (outside) 1 199.216.81.20 netmask
Toshi
04-01-2009 11:54 AM
Tried it. Same results.
04-01-2009 12:05 PM
Robert,
Please provide us with the configuration on the ASA.
Toshi
04-01-2009 11:17 AM
No - no ACL on the inside interface, just the 2 implicit rules that are there by default - permit all traffic to a less secure interface (in this case inside is 100 by default and outside is 0 so all traffic should pass) and the implicit deny any any.
04-01-2009 12:05 PM
Robert
Not familiar with ASDM but -
1) Can you try to access Internet from internal client
2) If you have tied this what is result ?
3) Do you have correct routing setup ?
Perhaps you could post config with description of IP addresses ie. src/destination etc..
Jon
04-01-2009 12:38 PM
Jon,
1) No internet access, page cannot be displayed. Can't ping from a client either.
3) Yes. All physical and logical connections are the same. I've even spoofed the MAC addresses of the PIX on the ASA interfaces.
When monitoring the ASA, there's plenty of traffic coming IN, so the ACL I have on that interface seems to be working. However there is absolutely zero traffic going out the outside interface.
I'm about ready to ship this thing back to Cisco.
Posting a config.
04-01-2009 12:46 PM
Robert,
I just want to know where the default route is. (Go fix it)
"I'm about ready to ship this thing back to Cisco. " Guys , Don't give up.(grin)
HTH,
Toshi
04-01-2009 01:06 PM
Robert
You don't have a default route so the ASA doesn't know where to send packets. So you need to add
route (outside) 0.0.0.0 0.0.0.0
where next-hop IP is the ISP router address. It will be out of the 199.216.81.0/24 subnet.
Jon
04-01-2009 01:49 PM
Jon,
Sorry in my haste (and frustration) I posted an incomplete config. The default route (and some other static routes) are there. I'm uploading the correct output.
I'm actually getting a "Network Timeout" when trying to browse from a client machine. Traffic looks like it's leaving but maybe not coming back?
With the PIX in place I can ping that default route - 199.216.81.1 - however with the ASA in place I cannot - although I suspect that might just be ICMP traffic being denied.
04-01-2009 01:54 PM
Robert
No problem. Can you specify the source IP address you are pinging from and the destination IP address you are pinging to ?
Thanks
Jon
04-01-2009 01:56 PM
Jon,
I was pinging from 172.16.130.67 to 199.216.81.1 (the default route).
Also tried pinging google - 74.125.127.99 - same source IP.
Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: