Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
6
Replies

ASA Routing/NAT problem

Chewbakka1
Level 1
Level 1

‎03-02-2017 07:50 AM - edited ‎03-12-2019 02:00 AM

Hi,

I have an ASA running 9.7 which has a public ip (222.222.222.222) assigned to its outside interface and a default gw pointing to the first address in the 222.222.222 -network.

I then route another subnet (123.123.123.192/26) to the ASA's outside address.

When i try to perform dynamic nat (PAT) for one of the  inside interfaces to one of the public ip's in the 123.123.123.192/27 range, no traffic is passed, even though i can see the states being created and ARP entries in the router. 

The 'permit arp not-connected' feature is turned on.

When changing the object nat to the outside ip 222.222.222.222, traffic flows without any problem.

Any idea why this is?

Labels:
0 Helpful
6 Replies 6

Hassan Chalabi
Level 1
Level 1

‎03-02-2017 09:03 AM

subnet (123.123.123.192/26) is public IP? is it known to your ISP?

0 Helpful

Chewbakka1
Level 1
Level 1
In response to Hassan Chalabi

‎03-02-2017 09:51 AM

Yes.

0 Helpful

Hassan Chalabi
Level 1
Level 1
In response to Chewbakka1

‎03-02-2017 10:04 AM

check the gateway of 123.123.123.192/26 if it is reachable, I am assuming this is a secondary subnet from the ISP that comes from the same interface of the edge router to the outside interface of the FW.

0 Helpful

Chewbakka1
Level 1
Level 1
In response to Hassan Chalabi

‎03-02-2017 11:57 AM

The gateway of 123.123.123.192/26 is reachable. And yes, the subnet comes in on the same (outside) interface to the ASA.

0 Helpful

Hassan Chalabi
Level 1
Level 1
In response to Chewbakka1

‎03-02-2017 12:02 PM

can you post packet tracer output?

run one from an inside ip icmp to 8.8.8.8 after you NAT to the secondary subnet.

something like:

ASA#packet-tracer input inside icmp 10.0.0.1 0 0 8.8.8.8

0 Helpful

Chewbakka1
Level 1
Level 1
In response to Hassan Chalabi

‎03-02-2017 12:48 PM

Interface names and public ip's have been changed to obscure the original customer

packet-tracer input inside icmp <inside-ip> 0 0 8.8.8.8

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 222.222.222.1 using egress ifc Outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network INSIDE-OUTSIDE-NAT
 nat (INSIDE-INTERFACE,OUTSIDE) dynamic
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: <Inside-interface>
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card