ASA nat translate_hits = 0, untranslate_hits = 0

schmidtjoe · ‎10-14-2022

Hi

I am configuring an ASA device. I am noting the NAT is not working and the PRIVATE deivce can not reach the destination/gateway(192.168.237.65&192.168.237.129). Can someone help to check the config?

interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.819
vlan 819
nameif VENDORNET_VENDOR_A
security-level 100
ip address 192.168.237.75 255.255.255.192
!
interface GigabitEthernet0/1.820
vlan 820
nameif VENDORNET_VENDOR_B
security-level 100
ip address 192.168.237.136 255.255.255.192
!
interface GigabitEthernet0/2
nameif PRIVATE
security-level 10
ip address 11.200.0.1 255.255.252.0
policy-route route-map SET_NEXT_HOP
!
object network vendor_VENDOR_B_subnet
range 192.168.237.129 192.168.237.191
object network obj_11.200.0.220
host 11.200.0.220
object network obj_VENDOR_B_1
host 192.168.237.140
!
object network vendor_VENDOR_A_subnet
range 192.168.237.65 192.168.237.127
object network obj_11.200.3.23
host 11.200.3.23
object network obj_VENDOR_A_1
host 192.168.237.100
!
access-list VLAN_VENDOR_B_EXT standard permit host 11.200.0.220
access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23
!
nat (PRIVATE,VENDORNET_VENDOR_A) source static obj_11.200.3.23 obj_VENDOR_A_1
nat (PRIVATE,VENDORNET_VENDOR_B) source static obj_11.200.0.220 obj_VENDOR_B_1
!
route-map SET_NEXT_HOP permit 10
match ip address VLAN_VENDOR_B_EXT
set interface VENDORNET_VENDOR_B
set ip default next-hop 192.168.237.129
!
route-map SET_NEXT_HOP permit 20
match ip address VLAN_VENDOR_A_EXT
set interface VENDORNET_VENDOR_A
set ip default next-hop 192.168.237.65
!
route VENDORNET_VENDOR_A 0.0.0.0 0.0.0.0 192.168.237.65 2
route VENDORNET_VENDOR_B 0.0.0.0 0.0.0.0 192.168.237.129 3

Manual NAT Policies (Section 1)
1 (PRIVATE) to (VENDORNET_VENDOR_B) source static obj_11.200.0.220 obj_VENDOR_B_1
translate_hits = 0, untranslate_hits = 0
2 (PRIVATE) to (VENDORNET_VENDOR_A) source static obj_11.200.3.23 obj_VENDOR_A_1
translate_hits = 0, untranslate_hits = 0

MHM Cisco World · ‎10-14-2022

many issue with your share config,
first

access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23 <<- traffic from VLA_VENDOR_A_EXT
!
route-map SET_NEXT_HOP permit 20
match ip address VLAN_VENDOR_A_EXT
set interface VENDORNET_VENDOR_A <<- will go via interface the traffic come from !!!
set ip default next-hop 192.168.237.65

schmidtjoe · ‎10-15-2022

set interface VENDORNET_VENDOR_A <<- will go via interface the traffic come from !!!

-- why it will set the traffic back to the interface it comes from? the interface VENDORNET_VENDOR_A is the egress to VLAN819.

MHM Cisco World · ‎10-15-2022

interface GigabitEthernet0/1.819
vlan 819
nameif VENDORNET_VENDOR_A
security-level 100
ip address 192.168.237.75 255.255.255.192
!
access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23

If you use a standard ACL, matching is done on the destination address only.

!
route-map SET_NEXT_HOP permit 20
match ip address VLAN_VENDOR_A_EXT
set interface VENDORNET_VENDOR_A
set ip default next-hop 192.168.237.65 <<-

!
interface GigabitEthernet0/2
nameif PRIVATE
security-level 10
ip address 11.200.0.1 255.255.252.0
policy-route route-map SET_NEXT_HOP

the PBR use to forward taffic ingress to interface <PRIVATE>, the PBR will check the PBR ACL VLAN_VENDOR_A_EXT, and see that the destination is host 11.200.3.23 <which we see that in same subnet of PRIVATE>

that confuse me

can you draw topology?

schmidtjoe · ‎10-15-2022

1. access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23 -- in standard ACL permit should be followed by source?

2. I just want to confirm the following logic:

ingress traffic from host 11.200.3.23 arrives GigabitEthernet0/2
route-map SET_NEXT_HOP and NAT are triggered:
- set the next-hop of the traffic to 192.168.237.65 out the interface GigabitEthernet0/1.819 VLAN_VENDOR_A_EXT
- the source ip 11.200.3.23 is translated to 192.168.237.100

MHM Cisco World · ‎10-15-2022

access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23 -- in standard ACL permit should be followed by source?No
""If you use a standard ACL, matching is done on the destination address only.""

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html

MHM Cisco World · ‎10-14-2022

nat (PRIVATE,VENDORNET_VENDOR_A) source static obj_11.200.3.23 obj_VENDOR_A_1
nat (PRIVATE,VENDORNET_VENDOR_B) source static obj_11.200.0.220 obj_VENDOR_B_1
!
interface GigabitEthernet0/2
nameif PRIVATE
security-level 10
ip address 11.200.0.1 255.255.252.0 <<- the subnet is different than 11.200.3.23 !!!
policy-route route-map SET_NEXT_HOP

schmidtjoe · ‎10-15-2022

Thanks for troubleshooting.

I have change the ACL to extended format to match both source and destination. It is working now !!!

MHM Cisco World · ‎10-15-2022

You are so so welcome friend.

schmidtjoe · ‎10-14-2022

Hi thanks for advising,

how to fix these issues?

11.200.0.1 255.255.252.0 could cover 11.200.3.23?

Address:   11.200.0.1            00001011.11001000.000000 00.00000001
Netmask:   255.255.252.0 = 22    11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255             00000000.00000000.000000 11.11111111
=>
Network:   11.200.0.0/22         00001011.11001000.000000 00.00000000 (Class A)
Broadcast: 11.200.3.255          00001011.11001000.000000 11.11111111
HostMin:   11.200.0.1            00001011.11001000.000000 00.00000001
HostMax:   11.200.3.254          00001011.11001000.000000 11.11111110
Hosts/Net: 1022

MHM Cisco World · ‎10-14-2022

Yes I make double check it cover if mask is /22.
but still PBR you use must correct.