I have a problem with NAT on ASA. I am trying to translate the destination IP based on source range and source port.
I am getting a log below.
Failed to locate egress interface for TCP from OAM_MDS_EXT:169.254.0.1/52464 to 22.214.171.124/161 .
Range 126.96.36.199/28 is not allocated on any interface. I just configured null route and redistributed in the OSPF.
Please have a look at the attached visio.
nat (EXT,INT) source dynamic MGMT_169.254.0.0_18 NET_188.8.131.52 destination static NET_184.108.40.206 SERVER1 service SSH SSH
object network MGMT_169.254.0.0_18
range 169.254.0.1 169.254.64.254
object network NET_220.127.116.11
object service SSH
service tcp destination eq ssh
object network SERVER1
happy to help you out if I can. I’m not sure why you’re getting that exact error message (but can only see part of your config), as a Null0 route shouldn’t have anything to do with your NATing. I can tell you by looking at your config that you haven’t established any NAT objects for your local subnet on the ingress side of the ASA, and that’s definitely going to cause problems with translation. Try the following:
1) Create a dynamic nat pool for your range of addresses (you have done this successfully):
(Config)# Object network MGMT_169.254.0.0_18
(config-network-object)# range 169.254.0.1 169.254.64.254
2) create a network object for your INGRESS network (this is missing)
(Config)# object network SNMP_INGRESS
(config-network-object)# Subnet 172.16.0.0 255.255.255.252
3) enable dynamic NAT for your management range on the Ingress network under the same network object.
(config-network-object)# NAT (INT,EXT) dynamic MGMT_169.254.0.0_18
4) create a network object for your where web server
(Config)# object network SERVER1
5) (finally) configure NAT for the static web server:
(config-network-object)#NAT (EXT,INT) static 10.10.0.1
let me know if that helps!
please don’t forget to rate!
thank you for your reply. Maybe I didnt explain my end goal correctly. R1 on the left is using SNMP server 10.10.0.1 on the right. SNMP srv is not presented with the real IP to R1 so R1 uses 18.104.22.168.
In order to make this work I am trying to translate destination ip 22.214.171.124 to 10.10.0.1 and keep original service in this case SNMP.
I am using range 126.96.36.199/27 on the firewall which is not configured on any interface.
Does it have sense now?
I hate to say it Vl@d@Ni but I’m actually a little more confused than when we started. I lose you around “SNMP dev is not presented with the real up to R1.”
where exactly is your NAT translation failing? Are you saying that the SNMP server (on the right) is receiving the SNMP requests but translation is failing on the way back? Do you know why addresses are translating to a Null interface? Is this by design? Can you post more of your config including all your NAT rules?
As per my understanding. You want to achieve R1 from source (169.254.0.1) trying to send SNMP data (UDP Port 161 & 162) to 188.8.131.52 that should land on SERVER (10.10.0.1)
If i am correct. This is what it should look like according to your diagram and my understanding.
! interface GigabitEthernet0/0 nameif INT security-level 100 ip address 172.16.0.1 255.255.255.252 ! interface GigabitEthernet0/1 nameif EXT security-level 0 ip address 172.17.0.1 255.255.255.252 ! route EXT 10.10.0.0 255.255.0.0 172.17.0.2 route INT 169.254.0.1 255.255.255.255 172.16.0.2 ! object network OBJ-169 host 169.254.0.1 object network OBJ-10 host 10.10.0.1 object network OBJ-8 host 184.108.40.206 ! object service SNMP service udp destination eq 161 object service SNMPTRAP service udp destination eq 162 ! nat (IN,OUT) source static OBJ-169 OBJ-169 destination static OBJ-8 OBJ-10 service SNMP SNMP nat (IN,OUT) source static OBJ-169 OBJ-169 destination static OBJ-8 OBJ-10 service SNMPTRAP SNMPTRAP !
The static route here are just to make sense. You can have routes from OSPF or any other Dynamic Routing protocol.
The other requirements are. R1 should be sending SNMP from source IP 169.254.0.1 as you mentioned in your topology diagram. If there is any change you should change it accordingly.
The R1 should send any traffic destined to 220.127.116.11 to ASA (via Static or Dynamic Route) and R2 Should send any traffic destined to 169.254.0.1 to ASA (via Static or Dynamic Route)
If you still have problem. Please provide.
Show run interface EXT Show run interface INT Show route Show nat detail Show run object