Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
2
Replies

ASA 9.1 NAT with Dynamic PAT, Something I have missed??

Go to solution
jerry.eyers
Level 1
Level 1

‎07-07-2014 01:23 PM - edited ‎03-11-2019 09:26 PM

I have a very basic config, a couple of static NATs, and a default dynamic PAT.  Started to add the VPN stuff, but thought I would test it first. 

So, defined all the objects, nats, defined the pat, and tested it.  The PAT works great.  The order shows all NAT's (static and PAT) fell properly into section 2 in the right order, but static NAT's aren't working.  I have stared at this long enough that although I am sure it is something simple I am forgetting, I have gone code-blind.  Another set of eyes on the config would be greatly appreciated.

 

The show nat gives me:

firewall# show nat

Auto NAT Policies (Section 2)
1 (Internal-192-LAN) to (Internet) source static GreyGw-Obj 12.204.223.229
    translate_hits = 80, untranslate_hits = 0
2 (Internal-192-LAN) to (Internet) source static ShahServer-Obj 12.204.223.226
    translate_hits = 10, untranslate_hits = 0
3 (Internal-192-LAN) to (Internet) source static AVLServer-Obj 12.204.223.231
    translate_hits = 1, untranslate_hits = 0
4 (Internal-10-LAN) to (Internet) source dynamic Internal-10-LAN-Net interface
    translate_hits = 0, untranslate_hits = 0
5 (Internal-192-LAN) to (Internet) source dynamic Internal-192-LAN-Net interface
    translate_hits = 9415, untranslate_hits = 32
firewall#

which shows the proper order, the statics first, followed by the dynamic, and the access lists are (seemingly) correct, hits would tend to indicate some traffic, but you can't connect to any of the services on the static NAT servers.  Thought it might be the access-list not right, but I can't see it.

 

Can somebody cast a glance at this and let me know the (evidently obvious) thing I am missing?  Thanks!

Jerry

 

 

Labels:
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-08-2014 06:26 AM

Hi,

 

To confirm what NAT configuration is applied to connections I would suggest using the "packet-tracer" command

 

packet-tracer input Internet tcp <source ip> 12345 <public ip> <port>

 

The above "show nat" output would seem to suggest that no traffic has arrived to the ASA that has matched those Static NAT configurations because we should be seeing "untranslate_hits". You should also see this "UN-NAT" phase in the output of the "packet-tracer" command.

 

I would imagine that the ACL attached to your external interface should not be the cause either since the NAT should be matched first before the ASA checks the ACL.

There are occasions where the ASA simply doesnt apply the NAT configurations as its supposed to. Even if everything looks fine with every single command.

 

In that case its sometimes worth altering the format of the NAT configuration a bit. You could for example change your Dynamic PAT configurations to only contain this configurations which would work for all of your internal networks.

 

nat (any,Internet) after-auto source dynamic any interface

 

This NAT configurations would essentially match any source address behind any source interface and perform Dynamic PAT to it when the traffic is heading out through the "Internet" interface.
 

Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-08-2014 06:26 AM

Hi,

 

To confirm what NAT configuration is applied to connections I would suggest using the "packet-tracer" command

 

packet-tracer input Internet tcp <source ip> 12345 <public ip> <port>

 

The above "show nat" output would seem to suggest that no traffic has arrived to the ASA that has matched those Static NAT configurations because we should be seeing "untranslate_hits". You should also see this "UN-NAT" phase in the output of the "packet-tracer" command.

 

I would imagine that the ACL attached to your external interface should not be the cause either since the NAT should be matched first before the ASA checks the ACL.

There are occasions where the ASA simply doesnt apply the NAT configurations as its supposed to. Even if everything looks fine with every single command.

 

In that case its sometimes worth altering the format of the NAT configuration a bit. You could for example change your Dynamic PAT configurations to only contain this configurations which would work for all of your internal networks.

 

nat (any,Internet) after-auto source dynamic any interface

 

This NAT configurations would essentially match any source address behind any source interface and perform Dynamic PAT to it when the traffic is heading out through the "Internet" interface.
 

Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
jerry.eyers
Level 1
Level 1
In response to Jouni Forss

‎07-08-2014 01:04 PM

Hey!

 

Thanks for taking a look.  I changed the dynamic to section 3 like you suggested.  I like that much better, gives a cleaner config and logical layout, and for what they were needing it will work fine.  But, that wasn't the problem.  You hit it when you said "... would seem to suggest that no traffic has arrived..."   Turns out that their ISP (AT&T) front-ends this with a 3825 router and it wasn't updating it's CAM table in any kind of timely manner.  A simple "oops, was that your power cable?? sorry about that AT&T" worked like a champ! :-)  When their router booted back up and actually did an ARP properly, all was NAT'ting like it was supposed too!  Thanks a bunch!!!  I stared at that config for hours scratching my head.  Why would anyone want to monkey with an ARP time setting it beyond me.  It's not like you are going to flood the link with ARP's....  :-P

 

Thanks again!!  :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card