Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
5
Replies

Static NATs not working on FWSM

Nirmal Singh
Level 1
Level 1

‎01-30-2012 04:36 AM - edited ‎03-11-2019 03:20 PM

Hi All,

In dire need of the experts help here

I've configured static NAT on the FWSM and the command is as below:

static (inside,outside) 202.154.69.240 10.150.18.15 netmask 255.255.255.255

static (inside,outside) 202.154.69.241 10.150.44.28 netmask 255.255.255.255

Obviously, the connectivity from LAN server to the Internet destination doesn't work. Access lists have been configured and everything that's needed is being allowed. I verified with packet capture.

But the NAT translation doesn't seem to work. I ran a debug and this is what I got.

FWSM/fvxxxx# sh xlate debug local 10.150.18.15

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

       o - outside, r - portmap, s - static

1097 in use, 13439 most used

NAT from inside:10.150.18.15 to outside:10.150.18.15 flags Ii idle 0:01:40 timeout 3:00:00 connections 0

FWSM/fvxxxx# sh xlate debug local 10.150.44.28

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

       o - outside, r - portmap, s - static

1110 in use, 13439 most used

NAT from inside:10.150.44.28 to outside:10.150.44.28 flags Ii idle 0:00:08 timeout 3:00:00 connections 1

Why isn't it being translated??

Labels:
0 Helpful
5 Replies 5

ajay chauhan
Level 7
Level 7

‎01-30-2012 05:52 AM

Can you post your configuration ? Also what you are trying to access from LAN .

Post your capture.

Thanks

Ajay

0 Helpful

Nirmal Singh
Level 1
Level 1
In response to ajay chauhan

‎01-30-2012 06:47 PM

Hi Ajay,

Due to security issues, I can't post the full config, but I'll show you the ones related to this.

conf t

object-group network 3PAR-SP-Internal

network-object host 10.150.18.15

network-object host 10.150.44.28

!

object-group network 3PAR-Portal-External

network-object host 66.126.187.144

!

object-group network 3PAR-Collector-External

network-object host 66.126.187.154

!

object-group network 3PAR-SP-NAT-Internal

network-object host 202.154.69.240

network-object host 202.154.69.240

!

access-list acl-outside extended permit tcp object-group 3PAR-Portal-External object-group 3PAR-SP-NAT-Internal eq 22

access-list acl-inside extended permit tcp object-group 3PAR-SP-Internal object-group 3PAR-Portal-External eq 22

access-list acl-inside extended permit tcp object-group 3PAR-SP-Internal object-group 3PAR-Collector-External eq 443

access-list acl-inside extended permit icmp object-group 3PAR-SP-Internal object-group 3PAR-Collector-External echo

!

static (inside,outside) 202.154.69.240 10.150.18.15 netmask 255.255.255.255

static (inside,outside) 202.154.69.241 10.150.44.28 netmask 255.255.255.255

Here's the packet capture:

FWSM/fvxxxx# sh cap out

8 packets seen, 8 packets captured

   1: 10:38:53.467173008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 675798721:675798721(0) win 5840

   2: 10:38:56.467176008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 675798721:675798721(0) win 5840

   3: 10:39:02.467182008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 675798721:675798721(0) win 5840

   4: 10:39:14.467194008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 1606688849:1606688849(0) win 5840

   5: 10:39:21.467201328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840

   6: 10:39:24.467204328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840

   7: 10:39:30.467210328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840

   8: 10:39:42.467222328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840

8 packets shown

0 Helpful

integreon
Level 1
Level 1

‎01-30-2012 07:16 PM

hi,

What is the ASA version?

Sent from Cisco Technical Support iPad App

0 Helpful

Nirmal Singh
Level 1
Level 1
In response to integreon

‎01-30-2012 07:49 PM

Hi,

It's not an ASA FW. It's a FWSM module in a Cisco 6513 chassis.

The version is 3.2(13)

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Nirmal Singh

‎01-31-2012 09:44 PM

Hello Nirmal,

Obviusly you are seeing the same packets on the inside interface so definitly its an issue with the nat.

Please provide the following:

-packet-tracer input inside tcp 10.150.18.15 1025  66.126.187.144 22

Regards,

Do rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card