NAT problems

denilson.mota · ‎12-10-2019

Hello experts,

I have two ASA 5545X active-standby and I have an objtect-group natted to the outside interface, inside of the object-group I have one host, for sometime the host able to browse to the internet but now not working. The trace from the remote PC is finish on the FW. I have the acces-list allowing that object-group to any IP.

Anyone please help to figure out what can be happen and why this host can't browse to internet?

Many thanks,

Jaderson Pessoa · ‎12-10-2019

Hello,

Could you share the asa configuration?

Jaderson Pessoa
*** Rate All Helpful Responses ***

denilson.mota · ‎12-10-2019

Hello Jaderson,

Find the configuration details on the attached picture:

I made a trace route from the host pc and the last hope is the FW interface

Jaderson Pessoa · ‎12-10-2019

well, i think that your nat configurations is wront

try it:

object-group network OBJ-G
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object 192.168.0.0 255.255.255.0
nat (inside,outside) source dynamic OBJ-G interface

Jaderson Pessoa
*** Rate All Helpful Responses ***

denilson.mota · ‎12-10-2019

First I have this NAT:

nat (Customs,Outside) source static RemoteGroup_Internet-Access interface

Then I remove and I create this NAT:

nat (Customs,Outside) source dynamic RemoteGroup_Internet-Access interface

The Customs interface is the interface where the host and remote group are configured, and still not working.

gerald.scott · ‎12-10-2019

I would suggest running a Packet Tracer from the Firewall to see if it is actually blocking the traffic and why.

Jaderson Pessoa · ‎12-11-2019

Well,

try it:
1. Check packet tracert in the firewall.
2. Check if end device can resolve name (ping 8.8.8.8) or (ping www.google.com) for exemple;
3. Check if this "RemoteGroup_Internet-Access" has your end device.

Regards

Jaderson Pessoa
*** Rate All Helpful Responses ***

denilson.mota · ‎12-11-2019

Find attached the output for all tests. The result of packet tracer is allowed and no block.

The end host is inserted into the object-group

The object have NAT and ACL permited

Jaderson Pessoa · ‎12-11-2019

Well,

Could you share a simple draw of your topology? This firewall working as your routing to others networks or is there a L3?

Is there any other NAT configuration to this address?

Jaderson Pessoa
*** Rate All Helpful Responses ***

denilson.mota · ‎12-11-2019

Hello Jaderson,

Thank you for your attention on my case, find the draft of mine topology for your reference.

denilson.mota · ‎12-11-2019

Please also see if the below info is normal behavior when we create a NAT

Jaderson Pessoa · ‎12-11-2019

No, this showing to us that already exist something with this address. Found what is: Maputo_Mcnet_APN and acl number 208.

Jaderson Pessoa
*** Rate All Helpful Responses ***

denilson.mota · ‎12-11-2019

Maputo_Mcnet_APN is the host pc that want to browse and the acl 208 is the Nat I have created from the host pc to outside interface. I removed the old Nat from the object-group and I create this one to specific host but the host pc still not browsing.