- Cisco Community
- Technology and Support
- Security
- Network Security
- ASA NAT issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA NAT issues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2020 03:13 PM
Currently having an issue with an ASA I am configuring where the NAT rules are being ignored. I am able to get to the external IP of the ASA but not to any devices on the inside. Connecting directly onto a server on the inside, I can see that whilst it is supposed to have a NAT'd address, it is actually using the external IP of the ASA. Another quirk on our NAT rules is that if I change the source interface from inside to outside (as it should be), I can no longer get out onto the internet from that device. If I set the source interface to Outside to Inside, then I can get out onto the internet but still have the NAT address problem.
Any ideas - would it be easier if posted the config?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2020 03:33 PM - edited 09-23-2020 03:36 PM
ASA Version 9.8(2)
!
hostname AWE-ASA
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 198.17.10.98 255.255.255.224
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3 shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3.10
vlan 10
nameif Tech
security-level 50
ip address 192.168.10.250 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4.11
vlan 11
nameif Basil_Media_Network_1
security-level 50
ip address 10.0.20.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif inside
security-level 100
ip address 10.0.51.254 255.255.254.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network AWE-VLAN
subnet 10.0.50.0 255.255.254.0
object network IP_198.17.10.98
host 198.17.10.98
object network IP_198.17.10.99
host 198.17.10.99
object network IP_198.17.10.100
host 198.17.10.100
object network IP_198.17.10.101
host 198.17.10.101
object network IP_198.17.10.102
host 198.17.10.102
object network IP_198.17.10.103
host 198.17.10.103
object network IP_198.17.10.104
host 198.17.10.104
object network IP_198.17.10.105
host 198.17.10.105
object network IP_198.17.10.106
host 198.17.10.106
object network IP_198.17.10.107
host 198.17.10.107
object network IP_198.17.10.108
host 198.17.10.108
object network IP_198.17.10.109
host 198.17.10.109
object network IP_198.17.10.110
host 198.17.10.110
object network Internal_Tech-HP
host 10.0.20.2
object network Internal_Tech-Distro
host 10.0.20.3
object network Internal_Tech-Prep
host 10.0.20.4
object network Internal_Tech-FTP
host 10.0.20.5
object network Internal_Tech-PRO
host 10.0.20.6
object network Internal_Tech-NAS
host 10.0.20.7
object network Internal_AWE-HV03
host 10.0.51.209
object network Internal_AWE-HV03-iDRAC
host 10.0.51.208
object network Internal_AWE-GW02
host 10.0.51.215
object network Internal_Camera-MGMT
host 10.0.51.183
object network Internal_AWE-HV02
host 10.0.51.203
object network Internal_Avaya
host 10.0.60.181
object network External_AWE-LAN
subnet 192.168.46.0 255.255.255.0
object network IP_198.17.10.119
host 198.17.10.119
object network 19268
object network IP_198.17.10.116
host 198.17.10.116
object network IP_198.17.10.117
host 198.17.10.117
object network IP_198.17.10.118
host 198.17.10.118
object network IP_198.17.10.123
host 198.17.10.123
object network IP_198.17.10.124
host 198.17.10.124
object network IP_198.17.10.125
host 198.17.10.125
object network Internal_PhoneSystem
host 10.0.51.182
object network Internal_AWE-CB03
host 10.0.51.216
object network IP_198.17.10.111
host 198.17.10.111
object network IP_198.17.10.113
host 198.17.10.113
object network IP_192.168.10.2
host 192.168.10.2
object network IP_192.168.10.3
host 192.168.10.3
object network IP_192.168.10.4
host 192.168.10.4
object network IP_192.168.10.5
host 192.168.10.5
object network IP_198.17.10.122
host 198.17.10.122
object network External_BT
host 85.119.63.4
object network IP_10.50.1.105
host 10.50.1.105
object network obj-Internal_AWE-HV03
host 10.0.51.209
object-group network DM_INLINE_NETWORK_1
network-object object Internal_AWE-HV02
network-object object Internal_AWE-HV03
object-group service DM_INLINE_TCP_1 tcp
port-object eq 5900
port-object eq 8814
port-object eq 8815
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 35689
service-object tcp destination eq 37777
service-object tcp destination eq www
service-object udp destination eq 35689
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq 4115
port-object eq 5900
port-object eq 7172
port-object eq 8813
port-object eq 8814
port-object eq 8815
port-object eq 8816
object-group service DM_INLINE_TCP_4 tcp
port-object eq 14147
port-object eq 15428
port-object eq 4115
port-object eq 5900
port-object eq 8090
port-object eq ftp
port-object eq www
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
port-object eq 15428
port-object eq 4115
port-object eq 5900
port-object eq 8090
port-object eq 8814
port-object eq 8815
port-object eq ssh
object-group service DM_INLINE_TCP_6 tcp
port-object eq 1719
port-object eq 1800
port-object range 49152 49410
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq 35689
service-object tcp destination eq 37777
service-object tcp destination eq www
service-object udp destination eq 35689
object-group service DM_INLINE_TCP_10 tcp
port-object eq 5900
port-object range 8814 8815
object-group service DM_INLINE_TCP_7 tcp
port-object eq 15428
port-object eq 4115
port-object eq 7172
port-object eq 8813
port-object eq 8816
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_8 tcp
port-object eq 14147
port-object eq 15428
port-object eq 4115
port-object range 5000 5100
port-object eq 5900
port-object eq 8090
port-object eq ftp
port-object eq www
port-object eq ssh
object-group service DM_INLINE_TCP_9 tcp
port-object eq 15428
port-object eq 4115
port-object eq 5900
port-object eq 8090
port-object eq 8115
port-object eq 8814
port-object eq ssh
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 1719
service-object tcp destination eq 1800
service-object tcp destination eq 21800
service-object udp destination eq 17192
service-object udp destination range 49152 49410
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_12 tcp
port-object eq 3489
port-object eq https
object-group service DM_INLINE_TCP_13 tcp
port-object eq 1194
port-object eq https
object-group service DM_INLINE_SERVICE_4
service-object tcp-udp destination eq sip
service-object tcp destination eq sip
service-object udp destination eq sip
access-list OUT extended permit tcp any object Internal_AWE-HV03-iDRAC eq https
access-list OUT extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389
access-list OUT extended permit tcp any object Internal_Tech-Prep eq 5566
access-list OUT extended permit tcp any object Internal_Tech-Distro object-group DM_INLINE_TCP_1
access-list OUT extended permit tcp any object Internal_Tech-Distro object-group DM_INLINE_TCP_2
access-list OUT extended permit tcp any object Internal_Tech-Distro eq ftp
access-list OUT extended permit tcp any object Internal_Tech-Distro eq ssh
access-list OUT extended permit tcp any object Internal_Tech-Distro eq 15428
access-list OUT extended permit tcp any object Internal_Tech-Distro object-group DM_INLINE_TCP_3
access-list OUT extended permit tcp any object Internal_AWE-GW02 eq 3389
access-list OUT extended permit object-group DM_INLINE_SERVICE_1 any object Internal_Camera-MGMT
access-list OUT extended permit tcp any object Internal_Tech-FTP object-group DM_INLINE_TCP_4
access-list OUT extended permit tcp any object Internal_Tech-FTP range 5000 5100
access-list OUT extended permit tcp any object Internal_Tech-Prep object-group DM_INLINE_TCP_5
access-list OUT extended permit tcp any object Internal_Avaya object-group DM_INLINE_TCP_6
access-list OUT extended permit icmp any any
access-list OUT extended permit tcp any object Internal_Tech-Distro object-group DM_INLINE_TCP_7
access-list OUT extended permit object-group DM_INLINE_SERVICE_2 any object Internal_Camera-MGMT
access-list OUT extended permit tcp any object Internal_Tech-FTP object-group DM_INLINE_TCP_8
access-list OUT extended permit tcp any object Internal_Tech-Prep object-group DM_INLINE_TCP_9
access-list OUT extended permit tcp any object Internal_Tech-Distro object-group DM_INLINE_TCP_10
access-list OUT extended permit object-group DM_INLINE_SERVICE_3 any object Internal_PhoneSystem
access-list OUT extended permit tcp any object Internal_AWE-HV03 eq 3489
access-list OUT extended permit tcp any object Internal_AWE-HV03-iDRAC object-group DM_INLINE_TCP_11
access-list OUT extended permit tcp any object Internal_AWE-CB03 object-group DM_INLINE_TCP_12
access-list OUT extended permit tcp any object Internal_AWE-GW02 eq https
access-list OUT extended permit tcp any object Internal_Tech-PRO object-group DM_INLINE_TCP_13
access-list OUT extended permit object-group DM_INLINE_SERVICE_4 object External_BT object Internal_PhoneSystem
access-list OUT extended permit tcp any object IP_10.50.1.105 eq www
access-list AWE_VPN_Policy extended permit ip object AWE-VLAN object External_AWE-LAN
access-list AWE_VPN_Policy extended permit ip object External_AWE-LAN object AWE-VLAN
access-list outside_cryptomap extended permit ip object AWE-VLAN object External_AWE-LAN
access-list TCLV-VLAN_access_in extended permit ip any any
access-list VOIP extended permit ip any any
access-list OUTSIDE_TO_INSIDE extended permit tcp any object Internal_AWE-HV03
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Tech 1500
mtu Basil_Media_Network_1 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7122.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static AWE-VLAN AWE-VLAN destination static External_AWE-LAN External_AWE-LAN no-proxy-arp route-lookup
!
object network Internal_Tech-HP
nat (outside,Basil_Media_Network_1) static IP_198.17.10.103
object network Internal_Tech-Distro
nat (outside,Basil_Media_Network_1) static IP_198.17.10.104
object network Internal_Tech-Prep
nat (outside,Basil_Media_Network_1) static IP_198.17.10.113
object network Internal_Tech-FTP
nat (outside,Basil_Media_Network_1) static IP_198.17.10.111
object network Internal_Tech-PRO
nat (outside,Basil_Media_Network_1) static IP_198.17.10.101
object network Internal_AWE-HV03
nat (inside,outside) static IP_198.17.10.116
object network Internal_AWE-HV03-iDRAC
nat (outside,inside) static IP_198.17.10.117
object network Internal_AWE-GW02
nat (outside,inside) static IP_198.17.10.107
object network Internal_Camera-MGMT
nat (outside,inside) static IP_198.17.10.110
object network Internal_PhoneSystem
nat (inside,outside) static IP_198.17.10.119
object network Internal_AWE-CB03
nat (outside,inside) static IP_198.17.10.118
object network IP_192.168.10.2
nat (outside,inside) static IP_198.17.10.122
object network IP_192.168.10.3
nat (outside,inside) static IP_198.17.10.123
object network IP_192.168.10.4
nat (outside,Tech) static IP_198.17.10.124
object network IP_192.168.10.5
nat (outside,Tech) static IP_198.17.10.125
object network IP_10.50.1.105
nat (inside,outside) static IP_198.17.10.108
object network obj-Internal_AWE-HV03
nat (inside,outside) static 198.17.10.116
!
nat (any,outside) after-auto source dynamic any interface
access-group OUT in interface outside
route outside 0.0.0.0 0.0.0.0 198.17.10.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 10.0.50.0 255.255.254.0 inside
http 175.22.220.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
