Showing results for 
Search instead for 
Did you mean: 


ASA NAT issue

Hi all

I have a problem with NAT on ASA. I am trying to translate the destination IP based on source range and source port.

I am getting a log below.

Failed to locate egress interface for TCP from OAM_MDS_EXT: to .

Range is not allocated on any interface. I just configured null route and redistributed in the OSPF.

Please have a look at the attached visio.

My config


nat (EXT,INT) source dynamic MGMT_169.254.0.0_18 NET_80.223.123.161 destination static NET_80.223.123.161 SERVER1 service SSH SSH

object network MGMT_169.254.0.0_18
object network NET_80.223.123.161
object service SSH
service tcp destination eq ssh
object network SERVER1


Any advise?


Hey Vl@d@Ni,

happy to help you out if I can. I’m not sure why you’re getting that exact error message (but can only see part of your config), as a Null0 route shouldn’t have anything to do with your NATing. I can tell you by looking at your config that you haven’t established any NAT objects for your local subnet on the ingress side of the ASA, and that’s definitely going to cause problems with translation. Try the following:


1) Create a dynamic nat pool for your range of addresses (you have done this successfully):

(Config)# Object network MGMT_169.254.0.0_18

(config-network-object)# range


2) create a network object for your INGRESS network (this is missing)

(Config)# object network SNMP_INGRESS

(config-network-object)# Subnet


3) enable dynamic NAT for your management range on the Ingress network under the same network object

(config-network-object)# NAT (INT,EXT) dynamic MGMT_169.254.0.0_18


4) create a network object for your where web server 

(Config)# object network SERVER1



5) (finally) configure NAT for the static web server:

(config-network-object)#NAT (EXT,INT) static


let me know if that helps!

please don’t forget to rate!



Hi Zac,

thank you for your reply. Maybe I didnt explain my end goal correctly. R1 on the left is using SNMP server on the right. SNMP srv is not presented with the real IP to R1 so R1 uses 

In order to make this work I am trying to translate destination ip to and keep original service in this case SNMP.

I am using range on the firewall which is not configured on any interface. 


Does it have sense now?


I hate to say it Vl@d@Ni but I’m actually a little more confused than when we started. I lose you around “SNMP dev is not presented with the real up to R1.”


where exactly is your NAT translation failing? Are you saying that the SNMP server (on the right) is receiving the SNMP requests but translation is failing on the way back? Do you know why addresses are translating to a Null interface? Is this by design? Can you post more of your config including all your NAT rules?


As per my understanding. You want to achieve R1 from source ( trying to send SNMP data (UDP Port 161 & 162) to that should land on SERVER (

If i am correct. This is what it should look like according to your diagram and my understanding.

interface GigabitEthernet0/0
nameif INT
security-level 100
ip address
interface GigabitEthernet0/1
nameif EXT
security-level 0
ip address
route EXT
route INT 
object network OBJ-169
object network OBJ-10
object network OBJ-8
object service SNMP
service udp destination eq 161 
object service SNMPTRAP
service udp destination eq 162
nat (IN,OUT) source static OBJ-169 OBJ-169 destination static OBJ-8 OBJ-10 service SNMP SNMP
nat (IN,OUT) source static OBJ-169 OBJ-169 destination static OBJ-8 OBJ-10 service SNMPTRAP SNMPTRAP

The static route here are just to make sense. You can have routes from OSPF or any other Dynamic Routing protocol.


The other requirements are. R1 should be sending SNMP from source IP as you mentioned in your topology diagram. If there is any change you should change it accordingly.

The R1 should send any traffic destined to to ASA (via Static or Dynamic Route) and R2 Should send any traffic destined to to ASA (via Static or Dynamic Route)

If you still have problem. Please provide.

Show run interface EXT
Show run interface INT
Show route
Show nat detail
Show run object



Content for Community-Ad