Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
4
Helpful
6
Replies

ASA Firewall NAT

rajeshcv49
Level 1
Level 1

‎01-03-2016 02:20 AM - edited ‎03-12-2019 12:05 AM

Hi All,

I have doubt in NAT troubleshooting method, Can you please help me in NAT troubleshooting. 

I configure the asa firewa as below 

interface g1/1

nameif inside

ip address 10.10.10.1 255.255.255.0

no shut

!

interface g1/2

nameif outside

address 192.168.1.111 255.255.255.0

no shut

!

object network INTERNAL

host 1.1.1.1

nat (inside,outside) static 192.168.1.20 services tcp 80 80

!

there is some issue with translation from 1.1.1.1 to 192.168.1.20,  I am trying to packet-tracer  from inside to outside

packet-tracer input inside tcp 1.1.1.1 http 192.168.1.254 http

packet-tracer input outside tcp 192.168.1.1 http 192.168.1.20 http

192.168.1.254 is my gateway,

1.1.1.1 is my internal address

I am troubleshooting the NAT Issue with packet-tracer command which i mention above, Is This method is the right method to troubleshoot the NAT Issue? or is there any other method to troubleshoot the NAT?. 

Labels:
0 Helpful
6 Replies 6

Akshay Rastogi
Cisco Employee
Cisco Employee

‎01-03-2016 08:31 AM

Hi,

Packet-tracer could be considered as a first step to identify if the concerned traffic hits the required NAT statement.

As per the the description, your packet-tracer would gives you the clear indication if the traffic hits the NAT statement or not.

When you say troubleshooting, then packet-tracer would  be able to give you indication on what phase the traffic is failing on ASA. In case of NAT, there could be sometime issue with RPF check for return traffic when overlapping NAT statements are there. It would mention the NAT statements which are hitting when the traffic goes out and comes in.

With those outputs you could frame your other troubleshooting steps. There are no hard and fast rule to troubleshoot.

Please let me know if you have any specific query.

Hope it answers your queries.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful

rajeshcv49
Level 1
Level 1
In response to Akshay Rastogi

‎01-04-2016 01:49 AM

Hi Akshay,

how nat rules overlap, Because one configure the nat rules asa will place the nat rules in order right ?

0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee
In response to rajeshcv49

‎01-04-2016 05:24 AM

Hi Rajesh,

In post 8.2 version, Manual NATs(Twice NATs) are processed first before any Object/Auto NAT.

Manual NATs are processed in the order they are configured, however Object NATs are processed as Static first and then Dynamic.

Regarding RPFs drops which are one of the command issue with NATs where traffic is being dropped is explained in below link:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc8

Go through the above doc completely. It has explained various NAT troubleshooting approaches.

Hope it helps

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful

rajeshcv49
Level 1
Level 1
In response to Akshay Rastogi

‎01-04-2016 08:39 AM

Thank you akshay

0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee
In response to rajeshcv49

‎01-04-2016 08:52 AM

Hi Rajesh,

You're Welcome.

Do remember to rate helpful posts.

Regards,

Akshay Rastogi

Andre Neethling
Level 4
Level 4

‎01-03-2016 11:13 PM

Yes, you could use Packet Tracer.

or you could try "show nat" which will give you a full view of your NAT rules in each section, and the amount of hits each rule has.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card