i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the outside interface of the Fortigate. any suggestions ?
Solved! Go to Solution.
Thanks for the reply.
that's why I called my enquiry "ASA NATing doesn't seem to work".
when I change the destination in the rule to CD-BFS-NORTH , the traffic denied by ACL.
I have attached packet tracer for the rules when the destination CD-BFS-NORTH and Fortigate-IP.
my understanding that the ASA should first check the NAT before the interface ACL , but that doesn't seem to happen.
Can someone advise ?
Is there a reason you are using twice NAT for this? Also, it is always a good practice to specify which interfaces you are NATing between and do not use the any keyword for interface selection. I would suggest changing the NAT to something like the following (change the interface names if needed):
nat (INSIDE,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
Without seeing more config it's hard to 100% diagnose but it just looks like you have your NAT commands around the wrong way, because you're stating outside>any and not the other way around. I would suggest removing the twice NAT and just adding a rule for this server such as the one you've already mentioned, assuming that the Fortigate is behind the EVL_VPN interface.
(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
Run packet-tracer again and see if this NAT rule is hit. If you want to try it another way try changing your other rule around:
42 (OUTSIDE) to (<ZONE THAT CONTAINS FORTIGATE>) source static any any destination static CD-BFS-NORTH Fortigate-IP no-proxy-arp
Could you please provide the output of the following commands:
show run nat | include CD-BFS-NORTH
show run access-list | include CD-BFS-NORTH !(If you are using IPs instead of objects replace with IP)
Also, provide a brief description / diagram of your network and where the IPs are located that you are trying to NAT.
You still have twice NAT configured...unless this is the one you have removed.
nat (OUTSIDE,any) source static any any destination static Fortigate-IP CD-BFS-NORTH object network CD-BFS-NORTHW
I suggest removing this and replacing it with the command I provided earlier.
nat (EPL_VPN,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
It is a better practice to NAT from the inside to the outside unless there is a very specific reason for you to NAT from the outside.