Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
5
Helpful
5
Replies

ASA NAT Inside/Source Nat

DEV1389
Level 1
Level 1

‎01-08-2021 01:31 PM

Hi All, 

 

am facing some basic issue with ASA Nat on EVE-NG . I am not able to ping after using below mentioned nat statements, but I removed these NAT statements am able to ping ( Dst 10.10.44.100) from Src  192.168.20.100. 

 

But at same time NAT Translation hits getting increased. 

 

CiscoASA# show run

!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 41.41.41.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif DMZ
security-level 0
ip address 31.31.31.1 255.255.255.252
!
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 21.21.21.1 255.255.255.252
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.90
vlan 90
nameif Inside01VLAN90
security-level 100
ip address 192.168.90.1 255.255.255.0
!
interface GigabitEthernet0/3.95
vlan 95
nameif Inside01VLAN95
security-level 100
ip address 192.168.95.1 255.255.255.0
!

 

CiscoASA# show int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 41.41.41.1 YES CONFIG up up
GigabitEthernet0/1 31.31.31.1 YES CONFIG up up
GigabitEthernet0/2 21.21.21.1 YES CONFIG up up
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/3.90 192.168.90.1 YES CONFIG up up
GigabitEthernet0/3.95 192.168.95.1 YES CONFIG up up
GigabitEthernet0/4 unassigned YES unset administratively down up
GigabitEthernet0/5 unassigned YES unset administratively down up
GigabitEthernet0/6 unassigned YES unset administratively down up
Management0/0 unassigned YES unset administratively down up
CiscoASA#

 

CiscoASA# show nat
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source static ToWeb 41.41.41.41
translate_hits = 4, untranslate_hits = 0


CiscoASA# show nat

Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source static ToWeb 41.41.41.41
translate_hits = 6, untranslate_hits = 0

 

 


CiscoASA# show running-config nat
!
object network ToWeb
nat (Inside,Outside) static 41.41.41.41
 
CiscoASA# show running-config object
object network ToWeb
host 192.168.20.100


CiscoASA# show running-config access-list
access-list OUT-IN extended permit ip any any log
access-list DMZ-IN extended permit tcp any any eq telnet log

 

Thanks in advance for your Feedback. 

0 Helpful
5 Replies 5

Tyson Joachims
Spotlight
Spotlight

‎01-08-2021 02:49 PM - edited ‎01-08-2021 02:51 PM

You have not defined the correct interface in your NAT statement. You have specified the interface Inside rather than Inside01VLAN90. Here is the correct syntax:

object network ToWeb
nat (Inside01VLAN90,Outside) static 41.41.41.41

If later on down the road you want to translate traffic sourced from the entire subnet of 192.168.90.0/24 to 41.41.41.41, you will need to use Port Address Translation instead of static NAT. Here are the commands to use PAT:

object network ToWeb
nat (Inside01VLAN90,Outside) dynamic interface

Please let me know if this fixes your issue and consider rating this post as helpful if it does

 

0 Helpful

DEV1389
Level 1
Level 1
In response to Tyson Joachims

‎01-09-2021 02:59 AM - edited ‎01-09-2021 04:36 AM

Hello Tyson, 

 

No , if you have a look on interface Details am using two differnet Inside zones . wanted to NAT Inside VLAN with 192.168.20.0/24 connected with router having subinterfaces as mentioned below:-

Please have a look on attached topology. 

Inside#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 21.21.21.2 YES NVRAM up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/1.20 192.168.20.1 YES NVRAM up up
GigabitEthernet0/1.30 192.168.30.1 YES NVRAM up up
GigabitEthernet0/1.40 192.168.40.1 YES NVRAM up up
GigabitEthernet0/2 unassigned YES unset up up
GigabitEthernet0/3 unassigned YES unset up up
Loopback0 2.2.2.2 YES NVRAM up up
Inside#

Preview file
287 KB
0 Helpful

Tyson Joachims
Spotlight
Spotlight

‎01-09-2021 06:32 AM - edited ‎01-09-2021 06:35 AM

My mistake. I didn't look at the 3rd octet close enough. Your NAT statement is correct. I have a few follow up questions

-Is the ASA the only device performing NAT?

-If you remove the NAT statement, is the ASA able to ping 10.10.44.100?

-Since you are not showing the entire running configuration, do you have any additional NAT statements that are not shown here configured on the ASA?

-Are there any ACLs upstream that prevents traffic from 192.168.20/24 from getting to 10.10.44.100?

DEV1389
Level 1
Level 1
In response to Tyson Joachims

‎01-09-2021 07:56 AM

Yes I can ping without NAT Statement and all traffic is allowed over outside interface. 

 

CiscoASA# show running-config
: Saved

 
: Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 2499 MHz
:
ASA Version 9.8(4)
!
hostname CiscoASA
domain-name cisco.com
enable password $sha512$5000$6Ik+LZcW6mC0I7lTMti5sg==$ChN9qzqRwjAU4rL7E7rGDg== pbkdf2
passwd 2KFQnbNIdI.2KYOU encrypted
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 41.41.41.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif DMZ
security-level 0
ip address 31.31.31.1 255.255.255.252
!
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 21.21.21.1 255.255.255.252
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.90
vlan 90
nameif Inside01VLAN90
security-level 100
ip address 192.168.90.1 255.255.255.0
!
interface GigabitEthernet0/3.95
vlan 95
nameif Inside01VLAN95
security-level 100
ip address 192.168.95.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
object network ToWeb
host 192.168.20.100
access-list OUT-IN extended permit ip any any log
access-list DMZ-IN extended permit tcp any any eq telnet log
pager lines 23
logging enable
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu Inside01VLAN90 1500
mtu Inside01VLAN95 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network ToWeb
nat (Inside,Outside) static 41.41.41.100
access-group OUT-IN in interface Outside
access-group DMZ-IN in interface DMZ
router ospf 1
network 21.21.21.0 255.255.255.252 area 0
network 31.31.31.0 255.255.255.252 area 0
network 41.41.41.0 255.255.255.252 area 0
network 192.168.90.0 255.255.255.0 area 0
network 192.168.95.0 255.255.255.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:50
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
++++++++ommitted ++++++++

telnet 0.0.0.0 0.0.0.0 Outside
telnet 0.0.0.0 0.0.0.0 DMZ
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$XQ6ij0p+VgloLh9ZMHJUdA==$Xmw3QxWCgxseE6G/EJNJOw== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:fca88e70e3413480a191a9ad1357e06a
: end
CiscoASA#

 

**************

with NAT it is dropped. 

CiscoASA# packet-tracer input outside icmp 10.10.44.100 0 8 192.168.20.100

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 21.21.21.2 using egress ifc Inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT-IN in interface Outside
access-list OUT-IN extended permit ip any any log
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network ToWeb
nat (Inside,Outside) static 41.41.41.41
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

************************************************

with NAT it is dropped .

 

 

CiscoASA# packet-tracer input outside icmp 10.10.44.100 0 8 ?

<0-65535> Enter the icmp identifier
A.B.C.D Enter the destination ipv4 address
fqdn Enter this keyword if an FQDN is specified as destination
address
security-group Enter this keyword if a security group is specified as
destination address
CiscoASA# packet-tracer input outside icmp 10.10.44.100 0 8 192.168.20.100

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 21.21.21.2 using egress ifc Inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT-IN in interface Outside
access-list OUT-IN extended permit ip any any log
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22, packet dispatched to next module

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

*************************************

0 Helpful

Tyson Joachims
Spotlight
Spotlight

‎01-10-2021 02:01 PM

Looking at your packet tracer output, it appears that NAT is what is causing this to fail due to an RPF failure. I looked this up and found an article that says to try using the mapped IP address of 41.41.41.41 instead of the real IP address of 10.10.44.100 in your packet-tracer command. Here's the syntax:

packet-tracer input outside icmp 10.10.44.100 8 0 41.41.41.41

Please post the output of that command in your response.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card