Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
164
Views
0
Helpful
1
Replies

ASA NAT Rule

jay_7301
Level 1
Level 1

‎10-28-2015 02:43 PM - edited ‎03-11-2019 11:48 PM

nat (inside) 1 10.0.0.1 255.255.255.0

nat ( inside 1 10.0.80.0 255.255.252.0

global (outside) 1 172.31.255.1 ( usually a public )

So this NAT statement is allow anything from the above 10 networks to NAT to global address of 172.31.255.1

i just wanted to confirm this works and i can get internet access i can ping from souring from the svi and ping from the computer in the vlan but i don't understand why the packet trace fails. Can i not test internet access via packet tracer e.g 8.8.8.8? as its says drop within the NAT rule which clearly allow it through.

packet-tracer input inside rawip 10.0.0.10 0 8.8.8.8

( 10.0.0.10 ) is an svi on the L3 switch behind the internal network.

Labels:
0 Helpful
1 Reply 1

Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-28-2015 07:30 PM

Hi Jay,

You could test the internet access via packet-tracer. Please use the below command:

packet-tracer input inside tcp 10.0.0.10 12345 8.8.8.8 80 detail

Please use the link below to understand the packet tracer in detail :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html#pgfId-2129824

Regards,

Akshay Rastogi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card