cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1007
Views
5
Helpful
20
Replies

ASA 5520 NAT Failing

rcoote5902_2
Level 2
Level 2

Reposting in a new thread since the old one seems to have died...

I'm migrating from a PIX 515 to an ASA 5520. The config was created using the PIX to ASA migration tool. The ASDM Packet Tracer shows outbound traffic failing due to NAT.

Config

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (199.216.81.20)

translate_hits = 971, untranslate_hits = 74

The old PIX config:

global (outside) 1 199.216.81.20

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The new ASA config:

global (outside) 1 199.216.81.20 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

Any thoughts on why it might be failing?

Rob

20 Replies 20

John Blakley
VIP Alumni
VIP Alumni

Try taking the netmask off of the global config. If your outside address is the one that you want to nat to, you can just put interface:

global (outside) 1 interface

nat (inside) 1 0 0

HTH,

John

HTH, John *** Please rate all useful posts ***

Removed the netmask, same issue. The interface IP is not the same as the outside address so I can't use the interface.

Screenshot attached - port 80 trace to google's IP.

In your screenshot it says that "flow is denied by configured rule." Do you have any acls on the inside interface?

HTH, John *** Please rate all useful posts ***

Robert,

what about this?

!

no global (outside) 1 199.216.81.20 netmask 255.255.255.255

global (outside) 1 199.216.81.20 netmask

Toshi

Tried it. Same results.

Robert,

Please provide us with the configuration on the ASA.

Toshi

No - no ACL on the inside interface, just the 2 implicit rules that are there by default - permit all traffic to a less secure interface (in this case inside is 100 by default and outside is 0 so all traffic should pass) and the implicit deny any any.

Robert

Not familiar with ASDM but -

1) Can you try to access Internet from internal client

2) If you have tied this what is result ?

3) Do you have correct routing setup ?

Perhaps you could post config with description of IP addresses ie. src/destination etc..

Jon

Jon,

1) No internet access, page cannot be displayed. Can't ping from a client either.

3) Yes. All physical and logical connections are the same. I've even spoofed the MAC addresses of the PIX on the ASA interfaces.

When monitoring the ASA, there's plenty of traffic coming IN, so the ACL I have on that interface seems to be working. However there is absolutely zero traffic going out the outside interface.

I'm about ready to ship this thing back to Cisco.

Posting a config.

Robert,

I just want to know where the default route is. (Go fix it)

"I'm about ready to ship this thing back to Cisco. " Guys , Don't give up.(grin)

HTH,

Toshi

Robert

You don't have a default route so the ASA doesn't know where to send packets. So you need to add

route (outside) 0.0.0.0 0.0.0.0

where next-hop IP is the ISP router address. It will be out of the 199.216.81.0/24 subnet.

Jon

Jon,

Sorry in my haste (and frustration) I posted an incomplete config. The default route (and some other static routes) are there. I'm uploading the correct output.

I'm actually getting a "Network Timeout" when trying to browse from a client machine. Traffic looks like it's leaving but maybe not coming back?

With the PIX in place I can ping that default route - 199.216.81.1 - however with the ASA in place I cannot - although I suspect that might just be ICMP traffic being denied.

Robert

No problem. Can you specify the source IP address you are pinging from and the destination IP address you are pinging to ?

Thanks

Jon

Jon,

I was pinging from 172.16.130.67 to 199.216.81.1 (the default route).

Also tried pinging google - 74.125.127.99 - same source IP.

Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: