03-12-2016 03:43 AM - edited 03-12-2019 12:28 AM
Hi,
From few days I'm trying to create a NAT from my local network (10.0.50.1/24) to the public interface (using the same IP address as public interface) so what I did is:
myLAB(config)# object network INSIDE-SUBNET myLAB(config-network-object)# nat (inside,outside) dynamic interface
Unfortunately it's not working. Any idea why?
My ASA configuration:
ASA Version 9.1(7)
!
hostname myLAB
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny tcp any4 any4 eq domain
xlate per-session deny tcp any4 any6 eq domain
xlate per-session deny tcp any6 any4 eq domain
xlate per-session deny tcp any6 any6 eq domain
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 11.21.31.2 255.255.255.0
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 xxx.x.x.x.x
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistic access-list
no threat-detection statics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-lenght maximum client auto
message-lenght maximum 512
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect sip
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Solved! Go to Solution.
03-13-2016 12:55 AM
Hi,
To enable ping responses on the test PC enable ICMP inspection on the ASA.
fixup protocol
And can you share the show run nat config of your
Regards,
Aditya
Please rate helpful posts.
03-13-2016 07:00 AM
Hi,
Can you please try from any other device in the same subnet of inside interface if that is able to reach internet or not?
Also check the routing table of that Server(it might be having one persistent default route on the Server pointing to some other ip than ASA inside interface).
Also remove any other nat created earlier for this traffic to work and add the below one:
object network obj-10.0.50.0
subnet 10.0.50.0 255.255.255.0
nat(inside,outside) dynamic interface
If you are using the same switch to connect eth0/0 and eth0/1 then make sure that eth0/0 and ISP modem is in vlan 2 and eth0/1 and server in vlan 1
Perform packet-tracer and paste the output here if that doesn't work :
packet-tracer input inside tcp 10.0.50.50 12345 8.8.8.8 80 detail
Hope it helps:
Regards,
Akshay Rastogi
Remember to rate helpful posts.
03-12-2016 04:04 AM
Hi Mat,
Config seems fine.
Could you share the output of
What traffic are you
packet-tracer input inside
Regards,
Aditya
Please rate helpful posts
03-12-2016 04:55 AM
I'm getting:
myLAB# packet-tracer input inside tcp 10.0.50.2 6767 4.2.2.2 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe0f6f0, priority=1, domain=nat-per-session, deny=true
hits=513, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: IP-OPTION
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0a9c48, priority=0, domain=inspect-ip-options, deny=true
hits=12, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0f6480, priority=0, domain=host-limit, deny=false
hits=8, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe0f6f0, priority=1, domain=nat-per-session, deny=true
hits=515, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTION
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0e85d0, priority=0, domain=inspect-ip-options, deny=true
hits=140, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 149, packet dispatched to next module
Module information for forward flow ...
snp_pf_tracer_drop
snp_pf_inspect_ip_options
snp_pf_tcp_normalizer
snp_pf_translate
snp_pf_adjacency
snp_pf_fragment
snp_pf_stat
Module information for reverse flow ...
snp_pf_tracer_drop
snp_pf_inspect_ip_options
snp_pf_translate
snp_pf_tcp_normalizer
snp_pf_adjacency
snp_pf_fragment
snp_pf_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
03-12-2016 05:07 AM
Hi,
I do not see NAT statement being hit in the packet tracer.
Could you try creating a manual NAT statement and then
nat (inside,outside) 1 source dynamic INSIDE-SUBNET interface
Regards,
Aditya
Please rate helpful posts.
03-12-2016 05:28 AM
Now I'm getting:
ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded.
So what I did then is:
object network inside
subnet 10.0.50.0 255.255.255.0
nat (inside,outside) 1 source dynamic inside interface
but I still can't get any internet access on 10.0.50.1/24 subnet (on the server connected to port 1)
03-12-2016 02:02 PM
any idea how to fix this issue?
03-12-2016 06:20 PM
Try doing the NAT in section 2 (auto NAT).
object network inside
subnet 10.0.50.0 255.255.255.0
nat (inside,outside) dynamic interface
--
Please remember to select a correct answer and rate helpful posts
03-13-2016 12:38 AM
Still not working :(
It should be so simple - but I spend on it few hours and I still can't make that work...
03-13-2016 07:00 AM
Hi,
Can you please try from any other device in the same subnet of inside interface if that is able to reach internet or not?
Also check the routing table of that Server(it might be having one persistent default route on the Server pointing to some other ip than ASA inside interface).
Also remove any other nat created earlier for this traffic to work and add the below one:
object network obj-10.0.50.0
subnet 10.0.50.0 255.255.255.0
nat(inside,outside) dynamic interface
If you are using the same switch to connect eth0/0 and eth0/1 then make sure that eth0/0 and ISP modem is in vlan 2 and eth0/1 and server in vlan 1
Perform packet-tracer and paste the output here if that doesn't work :
packet-tracer input inside tcp 10.0.50.50 12345 8.8.8.8 80 detail
Hope it helps:
Regards,
Akshay Rastogi
Remember to rate helpful posts.
03-12-2016 09:18 PM
Hi,
My bad.
Try this:
object network INSIDE-SUBNET
subnet 10.0.50.0 255.255.255.0
nat (inside,outside) 1 source dynamic inside interface
Regards,
Aditya
Please rate helpful posts.
03-13-2016 12:37 AM
Still nothing :(
Configuration on the server looks good to me + I can ping the firewall:
IP:10.0.50.50
NETMASK:255.255.255.0
GATEWAY:10.0.50.1
Not sure if that will help but I'm using Cisco ASA 5505.
I can access internet from my firewall without any problem. The problems starts when I'm trying to access internet from my server on interface 0/1
03-13-2016 12:55 AM
Hi,
To enable ping responses on the test PC enable ICMP inspection on the ASA.
fixup protocol
And can you share the show run nat config of your
Regards,
Aditya
Please rate helpful posts.
03-13-2016 08:51 AM
Fixup command is legacy and the new command is inspect icmp under the golbal inspection policy...But having said that, will also add the inspect icmp to the inspection policy. just saying :-)
Could you run a new packet tracer with the inside server as the source and 4.2.2.2 as destination please.
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: