Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2495
Views
0
Helpful
18
Replies

ASA NATing doesn't seem to work

Go to solution
mazin D
Level 1
Level 1

‎05-27-2020 06:41 AM

i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the outside interface of the Fortigate. any suggestions ?

0 Helpful
18 Replies 18

Go to solution
mazin D
Level 1
Level 1
In response to Marius Gunnerud

‎05-31-2020 04:44 AM

thanks for your help.

still getting the same issue. please find below the out put of packet tracer after removing the twice NAT:

-FW01/pri/act# show run nat | include CD-BFS-NORTH
object network CD-BFS-NORTH


FW01/pri/act# show nat | include CD-BFS-NORTH
1 (EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

 

FW01/pri/act# show access-list | i CD-BFS-NORTH
access-list OUTSIDE_INGRESS line 27 extended permit object-group DM_INLINE_SERVICE_11 any object CD-BFS-NORTH log informational interval 300 (hitcnt=0) 0x070a3eba

 

 

CD-24LH-FW01/pri/act# packet-tracer input ouTSIDE icmp 92.239.10.100 8 0 80.10.10.51

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 80.10.10.48 255.255.255.248 OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group OUTSIDE_INGRESS in interface OUTSIDE
access-list OUTSIDE_INGRESS extended deny ip any any
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

its looks like that translation happening in one direction, not sure why

 

 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mazin D

‎05-31-2020 07:05 AM

What protocols are you allowing in your ACL?

sh run object-group id DM_INLINE_SERVICE_11

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mazin D
Level 1
Level 1
In response to Marius Gunnerud

‎05-31-2020 07:15 AM

ICMP, HTTP, HTTPS

 

 

FW01/pri/act# sh run object-group id DM_INLINE_SERVICE_11
object-group service DM_INLINE_SERVICE_11
service-object icmp
service-object tcp-udp destination eq www
service-object tcp destination eq https

0 Helpful

Go to solution
mazin D
Level 1
Level 1
In response to mazin D

‎06-01-2020 04:25 AM

sorted,

just re-added the NAT statement at the top of the all NAT rules and its worked.

1 (OUTSIDE) to (any) source static any any destination static Fortigate-IP CD-BFS-NORTHW

 

thanks all for your help

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card