12-23-2014 08:46 AM - edited 03-11-2019 10:15 PM
For the life of me, I can't figure out what is causing my NAT problem. I ran a packet trace from 10.0.0.1 to 8.8.8.8 and received "(nat-xlate-failed)NAT failed" message. All I'm trying to do is to allow any host from 10.1.1.5 subnet to go out to the Internet 69.33.71.145, and if this connection fail, then go to the router 10.1.1.1 so I can go out to the Internet via 63.156.144.5.
I know the answer is probably glaring at me, but any help will be greatly appreciated. TIA.
ASA Version 9.0(3)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
name 10.0.0.0 Internal
name 63.156.144.0 Lab-Inet1 description ATT Internet Connection
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.33.71.146 255.255.255.248
!
interface Vlan10
description Guest Network
no nameif
security-level 50
ip address 10.3.3.5 255.255.255.0
!
dns server-group DefaultDNS
name-server 10.1.1.31
domain-name somebody.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Internal
subnet 10.0.0.0 255.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network Lab-Inet1
subnet 63.156.144.0 255.255.255.128
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit esp any4 any4
access-list outside_access_in extended permit ah any4 any4
access-list outside_access_in extended permit gre any4 any4
access-list outside_access_in extended permit udp any4 any4 eq isakmp
access-list outside_access_in extended permit icmp host 69.33.71.145 any
access-list inside_access_in extended permit object-group TCPUDP any any eq domain log disable
access-list inside_access_in extended permit icmp any any log disable
access-list inside_access_in extended permit tcp any any eq www log disable
access-list inside_access_in extended permit tcp any any eq https log disable
access-list inside_access_in extended permit ip any4 any4
access-list outside_access_in_1 extended permit ip host 69.33.71.145 any
access-list outside_access_in_1 extended permit ip object Terracon-Inet1 any4
access-list inside_access_in_1 extended permit ip any4 any4
ip verify reverse-path interface outside
icmp unreachable rate-limit 100 burst-size 10
icmp permit any inside
icmp permit Lab-Inet1 255.255.255.128 outside
icmp permit host 69.33.71.145 outside
icmp permit host 8.8.8.8 outside
asdm image disk0:/asdm-722.bin
asdm location Internal 255.0.0.0 inside
asdm location Lab-Inet1 255.255.255.128 inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Internal
nat (inside,outside) dynamic interface
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.33.71.145 1 track 1
route inside 0.0.0.0 0.0.0.0 10.1.1.1 2
route inside Internal 255.0.0.0 10.1.1.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 20
http 10.1.1.0 255.255.255.0 inside
http Lab-Inet1 255.255.255.128 outside
sla monitor 1
type echo protocol ipIcmpEcho 69.33.71.145 interface outside
num-packets 3
timeout 2000
threshold 2000
frequency 10
!
track 1 rtr 1 reachability
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh Lab-Inet1 255.255.255.128 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
username admin password alblkeIIkehw encrypted
!
class-map tcp-traffic
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1472
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect pptp
inspect ipsec-pass-thru
inspect dns preset_dns_map dynamic-filter-snoop
class tcp-traffic
policy-map type inspect ipsec-pass-thru IPSEC-Passthrough
parameters
esp timeout 1:00:00
ah timeout 1:00:00
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:084ac25aefe3adedcbb6f09a7e117640
: end
12-24-2014 04:34 AM
Hi,
This would work only in the case when you have the Outside interface working and then the internet should work fine.
If the outside interface is not enabled , you would need a U-TURN NAT to take the traffic from the Inside interface and route it back to the inside interface.
When the Outside interface is down , can you send the output of packet trace:-
packet trace inout inside 10.0.0.1 4567 8.8.8.8 80 det
Thanks and Regards,
Vibhor Amrodia
12-24-2014 06:39 AM
The outside interface is enabled but I keep getting the nat-xlate-failed message when I ran packet trace using asdm.
Here's the trace from putty:
packet input inside tcp 10.0.0.1 www 8.8.8.8 www
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside control-plane
access-list inside_access_in extended permit tcp any any eq www log disable
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Internal
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.0.0.1/80 to 69.33.71.146/80
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9822151, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-24-2014 06:51 AM
Hi,
I think as per this output , I don't see any issues with the NAT statement.
Are you seeing the Xlate error in Syslogs ? If yes , post some messages or the screenshot of the tracer which you run from the ASDM.
Thanks and Regards,
Vibhor Amrodia
09-16-2019 12:06 PM
Hi there,
Has this been resolved for you? I am having the same issue and would be curious to see what the resolution was.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide