07-12-2011 10:48 AM - edited 03-11-2019 01:57 PM
We recently upgraded our ASA to 8.3, most everything went ok, but I am having problems with outgoing nat. It seems that when one our systems that needs to be natted to an outside IP address when connecting out is not doing it. When that system goes out the ip address is our internet IP and not the natted address, however, inbound everything works.
We have one rule that does PAT
nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1
This is the natting statement that should be translating the addressesobject network obj-10.200.0.10 nat (INSIDE,OUTSIDE) static 2.2.2.2
I think I need to double nat, is that right if so how?
Solved! Go to Solution.
07-12-2011 12:38 PM
can you do this :
check the xlate for 10.200.0.10 by suing "show xlate | in 10.200.0.10" and then try doing:
clear local-host 10.200.0.10
and then try again.
If it doesn't work try takinga packet-tracer:
packet-tracer input inside tcp 10.200.0.10 2345 1.1.1.1 5160 detailed
provide me the output.
Thanks,
Varun
07-12-2011 11:03 AM
Hey Moises,
Could you please provide a copy of your config, the nat statement that you have provided:
nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1
looks perfect to me, all the users in the object OG_IP_NAT_DMZ would be dynamically natted to obj-1.1.1.1, just make sure you have the right hosts under these objects, do:
show run object | begin OG_IP_NAT_DMZ andf show run object | begin obj-1.1.1.1
The second nat staement is one to one mapping, mostly if any one wants to access the 10.200.0.10 ip they would do it on 2.2.2.2
so i gues you shouls be able to access internet. If you can provide a config, it would get easier to troubleshoot.
Hope this helps
Thanks,
Varun
07-12-2011 11:47 AM
Thanks for your reply!
I have advanced this issue a bit more. The problem is definetly nat. Our SIP provider states that we can not connect because the ip address that they are expecting is incorrect. Instead of coming out the static natted address they are coming out as our outside web address.
At this time we are trying double nat and its like this:
nat (INSIDE,OUTSIDE) source static obj-10.200.0.10 obj-ccm-translated (actual outside ip x.x.x.x)
destination static obj_any obj_any
We had other issues with nat statements today and most were resolved doing the above, however ,
not this issue. When I run packet tracer it shows its translation address
This is the output from the sh nat command
HoTasa# sh nat 10.200.0.10
Manual NAT Policies (Section 1)
2 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-ccm-translated destination static obj_any obj_any
translate_hits = 21, untranslate_hits = 170
Auto NAT Policies (Section 2)
12 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 x.x.x.x
translate_hits = 0, untranslate_hits = 145
Any help would be appriciated thanks.
07-12-2011 11:56 AM
If I understand the issue correctly, you should be falling into this nat:
object network obj-10.200.0.10 nat (INSIDE,OUTSIDE) static 2.2.2.2
but the SIP provider see the request coming from the IP in this nat:
nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1
am I right????
if this is the case then it is nothing but taking precedence over the ststic one-to-one.
What I would suggest is, try removing the static on-to-one nat and add the following:
object network obj-2.2.2.2
host 2.2.2.2
nat (inside,outside) 1 source static obj-10.200.0.10 obj-2.2.2.2
and you should see this working after it.
Hope this helps
Thanks,
Varun
07-12-2011 12:15 PM
Yes you are correct, let me give it a shot,thanks!
07-12-2011 12:27 PM
Sure , let me know how it goes
07-12-2011 12:33 PM
Unfortunelty that did not work. Although, that config is what I thought would work too. I did remove the 1 to 1 nat too.
1 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-OUTSIDEIP
translate_hits = 1, untranslate_hits = 36
1 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-OUTSIDEIP
translate_hits = 5, untranslate_hits = 118
Source - Origin: 10.200.0.10/32, Translated: X.X.X.X/32
07-12-2011 12:38 PM
can you do this :
check the xlate for 10.200.0.10 by suing "show xlate | in 10.200.0.10" and then try doing:
clear local-host 10.200.0.10
and then try again.
If it doesn't work try takinga packet-tracer:
packet-tracer input inside tcp 10.200.0.10 2345 1.1.1.1 5160 detailed
provide me the output.
Thanks,
Varun
07-12-2011 12:47 PM
That did it, clearing out the local host and your config fixed the issue. Thanks a bunch!
07-12-2011 12:49 PM
Heyyyy thats good..... it brought a bit of stubborness in me to get it resolved...:) all the best and thanks for the rating
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide