Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2641
Views
0
Helpful
2
Replies

ASA 5505/NAT/Packet Tracer: Only connected subnet NATed, not others Internal subnets

Go to solution
computerone1
Level 1
Level 1

‎07-09-2017 10:35 PM - edited ‎03-12-2019 02:40 AM

Hi folks!

I'm modeling a simple network in Packet Tracer.7.0:

ASA NAT

The IP topology is functionning OK, PC0 can ping Server0 (there is a static route in the router 'Internet' 10.0.0.0 255.0.0.0 203.0.113.47).

Yet, NAT is performed only when a ping is sent from R1, not from L3S0 or PC0 (checked using the Sniffer module).

I tried many different NAT settings for 4 hours ( changing the 10.0.0.0/30 for a 10.0.0.0/24, using 'host [PC0 IP]' instead of subnet, using (any,outside) instead of (inside,outside).

HTTP requests get the same problem, it's not just ICMP

either:

  • I make a big mistake in my NAT config (yet I checked the doc for 4 hours)
  • There is a bug in PacketTracer/ASA5505/NAT
  • The ASA 5505 can only NAT the directly connected subnet

I post the ASA startup config file for anybody wishing to check it

Thanks for any idea :-)

Labels:
Preview file
2 KB
Preview file
164 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎07-10-2017 11:29 AM

Hi computerone1,

Yes there is a bug in pccket tracer. But you can do something like the following.

Change the subnet mask of ASA inside to 255.0.0.0 from 255.255.255.252

interface Vlan1
nameif inside
security-level 0
ip address 10.0.0.2 255.0.0.0

object network inside-subnet
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface

!

At router R1,  ASA facing interface,

interface fastethernet/Gig <x/x>
ip add 10.0.0.1 255.255.255.252
ip proxy-arp

And test again...

Spooster IT Services Team

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Spooster IT Services
Level 7
Level 7

‎07-10-2017 11:29 AM

Hi computerone1,

Yes there is a bug in pccket tracer. But you can do something like the following.

Change the subnet mask of ASA inside to 255.0.0.0 from 255.255.255.252

interface Vlan1
nameif inside
security-level 0
ip address 10.0.0.2 255.0.0.0

object network inside-subnet
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface

!

At router R1,  ASA facing interface,

interface fastethernet/Gig <x/x>
ip add 10.0.0.1 255.255.255.252
ip proxy-arp

And test again...

Spooster IT Services Team
0 Helpful

Go to solution
computerone1
Level 1
Level 1
In response to Spooster IT Services

‎07-14-2017 01:27 AM

Hi Spooster IT Services

Your solution works perfectly.

Thanks and marked as solved !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card