Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
0
Helpful
10
Replies

ASA nat issue urgent

Go to solution
rouzbehta
Level 1
Level 1

‎02-02-2011 08:41 PM - edited ‎03-11-2019 12:43 PM

Hello all,  Would someone please tell me if there is anything wrong with this configuration on ASA?  For example I can ping 10.10.10.3 from ASA but can't ping from 10.10.10.3 to 66.128.95.241, this means nat is not working properly??  I need this be fixed very soon  Thank you!    global (outside) 1 66.128.95.241 netmask 255.255.255.252 global (DMZ) 1 66.128.95.241 nat (inside10) 1 10.10.10.0 255.255.255.0 nat (inside11) 1 10.10.11.0 255.255.255.0 nat (inside12) 1 10.10.12.0 255.255.255.0 nat (inside13) 1 10.10.13.0 255.255.255.0 nat (inside14) 1 10.10.14.0 255.255.255.0 nat (inside16) 1 10.10.16.0 255.255.255.0 nat (inside20) 1 10.10.20.0 255.255.255.0 nat (inside21) 1 10.10.21.0 255.255.255.0

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to rouzbehta

‎02-03-2011 04:39 AM

Hi,

The nat configuration given by you is as follows:

nat (inside10) 1 10.10.10.0 255.255.255.0

global (outside) 1 66.128.95.241 netmask 255.255.255.252

So here you are patting the 10.10.10.0 network to 66.128.95.241 and 66.128.95.242. These ip address are used for natting. They are not physically assigned to a device.

So from ASA when you ping 10.10.10.3,

source ip -- the interface ip address of inside10

destination ip - 10.10.10.3

Reply to that ping

source ip - 10.10.10.3

Destination ip - the interface ip address of inside10

Ping will be successful as both are assigned to a physically present device or interface.

But when you ping the ip address 66.128.95.241 from the device with ip address 10.10.10.3,

source ip -- 10.10.10.3

destination ip -- 66.128.95.241.

Ip 66.128.95.241 is not physically assigned to a device. As it is a virtual ip no device or interface will respond back. Hence the pings will be unsuccessful.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered.

View solution in original post

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to rouzbehta

‎02-03-2011 05:55 AM

Hi,

Please change the Global statement to global(outside) 1 interface.

Also do the following:

policy-map global_policy
 class inspection_default

     inspect icmp

Try and let me know if you are able to ping the outside interface.

Regards,

Anisha

View solution in original post

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to rouzbehta

‎02-03-2011 08:10 AM

Hi,

Why do you wish to ping the outside interface of the ASA?

i don't think you can ping to the box. you can ping through the box.

you need a inspect icmp for that though.

please try pinging any host on the outside of the ASA and see if it successful.

please paste the output of sh xlate as well

Regards,

Anisha

View solution in original post

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to rouzbehta

‎02-03-2011 09:03 AM

Just noticed: you don't have a default route on your router 10.10.10.10.3

If that doesn't help do what i have suggested, anything else is "looking into the crystal ball"

If you cannot go live you have to build a test bed, no way around that, which means connect something that can represent your productive environment.

rgds,  MiKa

Message was edited by: m.kafka

View solution in original post

0 Helpful
10 Replies 10

Go to solution
rouzbehta
Level 1
Level 1

‎02-02-2011 08:47 PM

I attached txt file for if you can't read it properly in html , sorry abou this

79755-New Text Document (4).txt.zip
0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to rouzbehta

‎02-03-2011 04:39 AM

Hi,

The nat configuration given by you is as follows:

nat (inside10) 1 10.10.10.0 255.255.255.0

global (outside) 1 66.128.95.241 netmask 255.255.255.252

So here you are patting the 10.10.10.0 network to 66.128.95.241 and 66.128.95.242. These ip address are used for natting. They are not physically assigned to a device.

So from ASA when you ping 10.10.10.3,

source ip -- the interface ip address of inside10

destination ip - 10.10.10.3

Reply to that ping

source ip - 10.10.10.3

Destination ip - the interface ip address of inside10

Ping will be successful as both are assigned to a physically present device or interface.

But when you ping the ip address 66.128.95.241 from the device with ip address 10.10.10.3,

source ip -- 10.10.10.3

destination ip -- 66.128.95.241.

Ip 66.128.95.241 is not physically assigned to a device. As it is a virtual ip no device or interface will respond back. Hence the pings will be unsuccessful.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered.

0 Helpful

Go to solution
rouzbehta
Level 1
Level 1
In response to andamani

‎02-03-2011 05:16 AM

Dear Anisha,

But I already assigned the 66.128.95.241 to gigethernet 0/0 and 66.128.95.242 is assigned to the next hop router interface and 0.0.0.0 0.0.0.0 66.128.95.242 is default rout on ASA to route all packets to the next hop router which is facing Internet.

Is this wrong? or should or physically asign to a device is a task I didn't do? Please let me know I can attach whole configuration if you need.

I really appreciate your answer,

Thanks,

-Rouzbeh

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to rouzbehta

‎02-03-2011 05:55 AM

Hi,

Please change the Global statement to global(outside) 1 interface.

Also do the following:

policy-map global_policy
 class inspection_default

     inspect icmp

Try and let me know if you are able to ping the outside interface.

Regards,

Anisha

0 Helpful

Go to solution
rouzbehta
Level 1
Level 1
In response to andamani

‎02-03-2011 07:07 AM

Dear Anisha,

I attached the entire configuration of both router and ASA, I explaibed in txt document that I can ping 10.10.10.1 which is sub interface of ASA from my router, also I can ping 66.128.95.241 from ASA, but still can't ping 66.128.95.241 from the router.

I also applied the changes you asked me to do, but still no success

Best Regards,

-Rouzbeh

79775-New Text Document (2).txt.zip
0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to rouzbehta

‎02-03-2011 08:10 AM

Hi,

Why do you wish to ping the outside interface of the ASA?

i don't think you can ping to the box. you can ping through the box.

you need a inspect icmp for that though.

please try pinging any host on the outside of the ASA and see if it successful.

please paste the output of sh xlate as well

Regards,

Anisha

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to andamani

‎02-03-2011 07:50 AM

Hi,

Just a few points for troubleshooting:

  1. Do you see the same behaviour for other hosts on your vlan 10 (connect temporary e.g. a notebook if there are no other)?
  2. You have a lot of unusual static routes configured e.g. duplicate 0.0.0.0/0 and statics for connected interfaces, what are they for?
  3. You still don't have the inspect icmp.
  4. Did you try packet-tracer? what does it tell you?
  5. What does sh xlate detail tell you for the host 10.10.10.3?
  6. You try to ping the ouside interface of the asa, same results for the default gateway 66.128.95.242 and other outside destinations?

Rgds, MiKa

0 Helpful

Go to solution
rouzbehta
Level 1
Level 1
In response to m.kafka

‎02-03-2011 08:40 AM

Dear Mika,

I just did inspect icmp, again no success

I am only trying to ping the outside interace from the router, not attached any hosts to subntes yet , because I have to be sure that nat is working properly before make the network live.

sh xlate , shows    0 in use, 0 most used to me

these routes:

c  66.128.95.240 255.255.255.252 is directly connected, outside    these c onnected routes are all sub interfaces on asa inteface gig1    which will be

c  10.10.10.0 255.255.255.0 is directly connected, inside10            connected to the switch

c  10.10.11.0 255.255.255.0 is directly connected inside 11

c 10.10.12.0 255.255.255.0 is directly connected inside 12

c 10.10.13.0 255.255.255.0 is directly connected inside13

c 10.10.14.0 255.255.255.0 is directly connected inside14

c 10.10.16.0 255.255.255.0 is directly connected inside16

c 10.10.20.0.255.255.255.0 is directly connected inside20

c 10.10.21.0 255.255.255.0 is directly connected inside21

S* 0.0.0.0 0.0.0.0 [1/0] via 66.128.95.242 outside                    this is next hop router interface address 66.128.95.242 and the statc route for that address

I can ping outside interface of asa, from asa

Regards,

-Rouzbeh

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to rouzbehta

‎02-03-2011 09:03 AM

Just noticed: you don't have a default route on your router 10.10.10.10.3

If that doesn't help do what i have suggested, anything else is "looking into the crystal ball"

If you cannot go live you have to build a test bed, no way around that, which means connect something that can represent your productive environment.

rgds,  MiKa

Message was edited by: m.kafka

0 Helpful

Go to solution
rouzbehta
Level 1
Level 1
In response to m.kafka

‎02-03-2011 09:23 AM

ohhhh iI made default route and workssssss


yahoooooooo    , Thank you very much, I can't tell how much I appreciate your help

Best Regards,

-Rouzbeh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card