Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
0
Helpful
7
Replies

ASA Dynamic Auto NAT ping error

asanovice
Level 1
Level 1

‎05-14-2021 08:59 AM

I set Dynamic Auto NAT. The ping was passed correctly in all areas until setup. I sent 'ping 200.1.1.2' from RTA after setting up Dynamic Auto NAT, but the ping is not delivered. I checked the ASA and I realized the request comes in properly, but it doesn't send a reply.
Can you tell me what's wrong?

 

[RTA]
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Loopback1
ip address 10.1.2.1 255.255.255.0
!
interface Loopback2
ip address 10.1.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.0.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.0.1
!
no cdp log mismatch duplex
!

 

[ASA]

interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.1.1.2 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface GigabitEthernet2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
object network NAT_POOL
range 150.1.1.101 150.1.1.200
object network LOCAL_NET1
subnet 10.1.1.0 255.255.255.0
object network LOCAL_NET2
subnet 10.1.2.0 255.255.255.0
access-list ALL_TRAFFIC extended permit ip any any
!
object network LOCAL_NET1
nat (inside,outside) dynamic NAT_POOL
object network LOCAL_NET2
nat (inside,outside) dynamic NAT_POOL
access-group ALL_TRAFFIC in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
route inside 10.1.0.0 255.255.0.0 10.1.0.2 1
route DMZ 192.168.2.0 255.255.255.0 192.168.2.11 1
!

Labels:
Preview file
27 KB
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎05-14-2021 09:06 AM - edited ‎05-14-2021 09:11 AM

@asanovice 

You are pinging 200.1.1.2 which is the outisde IP address of the ASA, you cannot be connected to the inside interface and ping a far interface (the outside interface), that is by design and will not work. You need to ping through the ASA, to another device, such as R3.

0 Helpful

asanovice
Level 1
Level 1
In response to Rob Ingram

‎05-14-2021 09:16 AM

Until Dynamic Auto NAT was set up, ping was delivered properly even when ping 200.1.1.2 was performed in the RTA. And as you said, RTA sent ping to R3 using 'ping 192.168.150.2', but it can't...

0 Helpful

Rob Ingram
VIP
VIP
In response to asanovice

‎05-14-2021 09:20 AM

@asanovice 

Run packet-tracer on the ASA to simulate the output traffic for each of your tests, provide the output for review.

Does R3 have a route back to the NAT Pool IP address range to go via the ASA?

Turn on icmp debug on R3, observe as to whether the icmp packet even reaches the router.

0 Helpful

asanovice
Level 1
Level 1
In response to Rob Ingram

‎05-14-2021 09:29 AM

I set up static routing like this.
[R3]
ip route 10.1.3.0 255.255.255.0 200.1.1.2
ip route 150.1.1.0 255.255.255.0 200.1.1.2

 

I checked in R3 and found the message 'echo reply sent, src 192.168.150.2, dst 10.1.0.2'. So it's ASA problem?

0 Helpful

Rob Ingram
VIP
VIP
In response to asanovice

‎05-14-2021 09:34 AM

packet-tracer output?

0 Helpful

asanovice
Level 1
Level 1
In response to Rob Ingram

‎05-14-2021 09:58 AM

packet-tracer Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

Everything's fine....

0 Helpful

asanovice
Level 1
Level 1
In response to Rob Ingram

‎05-14-2021 10:16 AM

Oh I'm sorry. I found a reason for the packet tracer. thank you! By the way, may I ask about the error found?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card