ASA NAT ACL Rule issue

Gremlin99 · ‎11-24-2016

I've just installed a brand new ASA 5525 and have set up some initial testing. I've /22 public address space to play with. I've set up a very basic static NAT to test connectivity from the internet. I have a device on the inside which I’ve done a static NAT to on the outside. So far so good.

The issue i have though is with the ACL on the outside. The one to one NAT is the same as many others ive done on different ASAs in the past. Normally i set the ACL to point to the 'real' address of the inside/DMZ IP and its fine. However with this implementation i can only ping the public address NATed address if i add a rule for both the Real IP and the Public IP on the outside interface. Its almost like the NAT rule is being ignored from an ACL perspective. I can continue with both addresses in the rule, but i know thats not right and want to know why this happening. Has anyone got any ideas?

Thanks.

cofee · ‎11-24-2016

So if you are using ASA 8.3 and above this is what you need:

You will need object network or object group:

object network inside_local

host 192.168.1.10

object network inside_to_outside_nat

host 11.11.11.10

nat (inside, outside) source static inside_local inside_to_outside_nat

access-list outside in permit icmp any 192.168.1.10 log (you can be more granular, this is just an example)

You don't need to specify the outside address it only needs private address in the acl if you are using ASA 8.3 and above. But when you ping you will ping the NATed address which is 11.11.11.10

packets coming in will get untranslated and outbound packets will get translated. You also should check the logs to see what's happening when you are pinging from outside. You can also use the packet-tracer command to simulate the flow from outside to inside. I just tested this in my LAB and works fine.

Please let me know if this answers your question.

Gremlin99 · ‎12-07-2016

Thanks for your reply cofee@400. This is how i have already set it up. However it is not working as it should. I've set up many other ASAs the same way and i agree that i should just be able to ping the public address. However, on this occasion it is not behaving that way. Its a little odd!

Nenad Stojanovic · ‎12-07-2016

Hello,

This is what I would try:

1.Use packet tracer to determine what acl and nat are been used. For example:

packet-tracer input outside icmp 1.1.1.1 8 0 x.x.x.x

where x.x.x.x is public ip you are trying to reach from outiside

2. Use different public ip address for static nat

3. Verify that inside host has correct gateway - there is no asymmetrical routing

Thanks,

Nenad

cofee · ‎12-07-2016

I understand that for some reason you are only able to ping if you add an ACE for both private and public address. Would you be able to test connectivity with other protocols like tcp/udp by removing the public ACE? see if you still have the same issue, that should help you narrow down troubleshooting.

Also can you tell us which ASA version you are using.