01-03-2016 02:20 AM - edited 03-12-2019 12:05 AM
Hi All,
I have doubt in NAT troubleshooting method, Can you please help me in NAT troubleshooting.
I configure the asa firewa as below
interface g1/1
nameif inside
ip address 10.10.10.1 255.255.255.0
no shut
!
interface g1/2
nameif outside
address 192.168.1.111 255.255.255.0
no shut
!
object network INTERNAL
host 1.1.1.1
nat (inside,outside) static 192.168.1.20 services tcp 80 80
!
there is some issue with translation from 1.1.1.1 to 192.168.1.20, I am trying to packet-tracer from inside to outside
packet-tracer input inside tcp 1.1.1.1 http 192.168.1.254 http
packet-tracer input outside tcp 192.168.1.1 http 192.168.1.20 http
192.168.1.254 is my gateway,
1.1.1.1 is my internal address
I am troubleshooting the NAT Issue with packet-tracer command which i mention above, Is This method is the right method to troubleshoot the NAT Issue? or is there any other method to troubleshoot the NAT?.
01-03-2016 08:31 AM
Hi,
Packet-tracer could be considered as a first step to identify if the concerned traffic hits the required NAT statement.
As per the the description, your packet-tracer would gives you the clear indication if the traffic hits the NAT statement or not.
When you say troubleshooting, then packet-tracer would be able to give you indication on what phase the traffic is failing on ASA. In case of NAT, there could be sometime issue with RPF check for return traffic when overlapping NAT statements are there. It would mention the NAT statements which are hitting when the traffic goes out and comes in.
With those outputs you could frame your other troubleshooting steps. There are no hard and fast rule to troubleshoot.
Please let me know if you have any specific query.
Hope it answers your queries.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
01-04-2016 01:49 AM
Hi Akshay,
how nat rules overlap, Because one configure the nat rules asa will place the nat rules in order right ?
01-04-2016 05:24 AM
Hi Rajesh,
In post 8.2 version, Manual NATs(Twice NATs) are processed first before any Object/Auto NAT.
Manual NATs are processed in the order they are configured, however Object NATs are processed as Static first and then Dynamic.
Regarding RPFs drops which are one of the command issue with NATs where traffic is being dropped is explained in below link:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc8
Go through the above doc completely. It has explained various NAT troubleshooting approaches.
Hope it helps
Regards,
Akshay Rastogi
Remember to rate helpful posts.
01-04-2016 08:39 AM
Thank you akshay
01-04-2016 08:52 AM
Hi Rajesh,
You're Welcome.
Do remember to rate helpful posts.
Regards,
Akshay Rastogi
01-03-2016 11:13 PM
Yes, you could use Packet Tracer.
or you could try "show nat" which will give you a full view of your NAT rules in each section, and the amount of hits each rule has.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide