10-22-2013 01:29 AM - edited 03-11-2019 07:54 PM
Hi,
I have a requirement of configuring a static NAT and I did the following, correct me if I am wrong.
object network 10.1.1.3
host 10.1.1.6
nat (inside,outside) static <Real IP address>
But for some reason the above configuration does not work, any idea ?
Solved! Go to Solution.
10-22-2013 02:43 PM
The format of your configuration of NAT is correct:
object network 10.1.1.3
host 10.1.1.6
nat (inside,outside) static
Some of the possible reasons that this is not working would be:
1) That you are configuring Auto NAT and a Manual NAT is taking precedence,
2) That you are mapping an address that is not on the same range as the external interface and on certain versions of the ASA you are required to add a command so that the ASA can ARP for none directly connected networks (arp permit-nonconnected).
3) The other option could be that traffic is not reaching the ASA due to an ARP cache on the ISP router for another device and all you need to do is call them and clear the ARP table.
10-22-2013 01:43 AM
Hi HUZEFA,
You can do this way.
object network public
host 200.1.1.1
exit
object network private
host 1.1.1.1
nat(inside,outside) static public
exit
!
10-22-2013 06:17 AM
which IP are you trying to NAT to? The object has the name 10.1.1.3 while the the IP you have configured in the object is 10.1.1.6? Or is this a typo?
Other than that, could you explain a little more indepth on what is not working? Are you trying to access the host from the outside?
could you run the following command and post it here please
packet-tracer input inside tcp 10.1.1.6 12345 4.2.2.2 80 detail
10-22-2013 02:15 PM
Thanks Mohd, but still this format does not work.
10-22-2013 02:43 PM
The format of your configuration of NAT is correct:
object network 10.1.1.3
host 10.1.1.6
nat (inside,outside) static
Some of the possible reasons that this is not working would be:
1) That you are configuring Auto NAT and a Manual NAT is taking precedence,
2) That you are mapping an address that is not on the same range as the external interface and on certain versions of the ASA you are required to add a command so that the ASA can ARP for none directly connected networks (arp permit-nonconnected).
3) The other option could be that traffic is not reaching the ASA due to an ARP cache on the ISP router for another device and all you need to do is call them and clear the ARP table.
10-23-2013 11:04 AM
Did any of the information given help, can you do me a favor and try to run a packet tracer to see if any other rule is being hit before the NAT rule that you are placing into the configuration:
Something like this:
packet-tracer input inside tcp 10.1.1.6 1025 4.2.2.2 80 detail
Send it over if you still need assistance.
10-23-2013 11:12 AM
Hi,
Please check previous posts for your Natting issue, at the end make sure that your External ACL should use the 'real ip address' ....just in case
Please attach the packet tracer output as per jumora, it will be very useful
Regards,
10-23-2013 11:27 AM
Well, actually the packet tracer was already requested by Marius Gunnerud's but it seems that we have not relpied with the information requested.
10-23-2013 05:41 PM
Hey so, I can't gave you the correct answer as I helped on the ticket from TAC, sometimes if you can't post outputs because your privacy you need to let us know or close out the support forum and open up a ticket.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide