Solved: Static NAT on Cisco ASA 9.1

HUZEFA-786_2 · ‎10-22-2013

Hi,

I have a requirement of configuring a static NAT and I did the following, correct me if I am wrong.

object network 10.1.1.3
   host 10.1.1.6
   nat (inside,outside) static <Real IP address>

But for some reason the above configuration does not work, any idea ?

jumora · ‎10-22-2013

The format of your configuration of NAT is correct:

object network 10.1.1.3

host 10.1.1.6

nat (inside,outside) static

Some of the possible reasons that this is not working would be:

1) That you are configuring Auto NAT and a Manual NAT is taking precedence,

2) That you are mapping an address that is not on the same range as the external interface and on certain versions of the ASA you are required to add a command so that the ASA can ARP for none directly connected networks (arp permit-nonconnected).

3) The other option could be that traffic is not reaching the ASA due to an ARP cache on the ISP router for another device and all you need to do is call them and clear the ARP table.

Value our effort and rate the assistance!

View solution in original post

MOHAMMAD RAZA · ‎10-22-2013

Hi HUZEFA,

You can do this way.

object network public

host 200.1.1.1

exit

object network private

host 1.1.1.1

nat(inside,outside) static public

exit

!

Marius Gunnerud · ‎10-22-2013

which IP are you trying to NAT to? The object has the name 10.1.1.3 while the the IP you have configured in the object is 10.1.1.6? Or is this a typo?

Other than that, could you explain a little more indepth on what is not working? Are you trying to access the host from the outside?

could you run the following command and post it here please

packet-tracer input inside tcp 10.1.1.6 12345 4.2.2.2 80 detail

--
Please remember to select a correct answer and rate helpful posts

HUZEFA-786_2 · ‎10-22-2013

Thanks Mohd, but still this format does not work.

jumora · ‎10-22-2013

The format of your configuration of NAT is correct:

object network 10.1.1.3

host 10.1.1.6

nat (inside,outside) static

Some of the possible reasons that this is not working would be:

1) That you are configuring Auto NAT and a Manual NAT is taking precedence,

2) That you are mapping an address that is not on the same range as the external interface and on certain versions of the ASA you are required to add a command so that the ASA can ARP for none directly connected networks (arp permit-nonconnected).

3) The other option could be that traffic is not reaching the ASA due to an ARP cache on the ISP router for another device and all you need to do is call them and clear the ARP table.

Value our effort and rate the assistance!

jumora · ‎10-23-2013

Did any of the information given help, can you do me a favor and try to run a packet tracer to see if any other rule is being hit before the NAT rule that you are placing into the configuration:

Something like this:

packet-tracer input inside tcp 10.1.1.6 1025 4.2.2.2 80 detail

Send it over if you still need assistance.

Value our effort and rate the assistance!

andduart · ‎10-23-2013

Hi,

Please check previous posts for your Natting issue, at the end make sure that your External ACL should use the 'real ip address' ....just in case

Please attach the packet tracer output as per jumora, it will be very useful

Regards,

jumora · ‎10-23-2013

Well, actually the packet tracer was already requested by Marius Gunnerud's but it seems that we have not relpied with the information requested.

Value our effort and rate the assistance!

jumora · ‎10-23-2013

Hey so, I can't gave you the correct answer as I helped on the ticket from TAC, sometimes if you can't post outputs because your privacy you need to let us know or close out the support forum and open up a ticket.

Value our effort and rate the assistance!