03-02-2017 07:50 AM - edited 03-12-2019 02:00 AM
Hi,
I have an ASA running 9.7 which has a public ip (222.222.222.222) assigned to its outside interface and a default gw pointing to the first address in the 222.222.222 -network.
I then route another subnet (123.123.123.192/26) to the ASA's outside address.
When i try to perform dynamic nat (PAT) for one of the inside interfaces to one of the public ip's in the 123.123.123.192/27 range, no traffic is passed, even though i can see the states being created and ARP entries in the router.
The 'permit arp not-connected' feature is turned on.
When changing the object nat to the outside ip 222.222.222.222, traffic flows without any problem.
Any idea why this is?
03-02-2017 09:03 AM
subnet (123.123.123.192/26) is public IP? is it known to your ISP?
03-02-2017 09:51 AM
Yes.
03-02-2017 10:04 AM
check the gateway of 123.123.123.192/26 if it is reachable, I am assuming this is a secondary subnet from the ISP that comes from the same interface of the edge router to the outside interface of the FW.
03-02-2017 11:57 AM
The gateway of 123.123.123.192/26 is reachable. And yes, the subnet comes in on the same (outside) interface to the ASA.
03-02-2017 12:02 PM
can you post packet tracer output?
run one from an inside ip icmp to 8.8.8.8 after you NAT to the secondary subnet.
something like:
ASA#packet-tracer input inside icmp 10.0.0.1 0 0 8.8.8.8
03-02-2017 12:48 PM
Interface names and public ip's have been changed to obscure the original customer
packet-tracer input inside icmp <inside-ip> 0 0 8.8.8.8
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 222.222.222.1 using egress ifc Outside
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network INSIDE-OUTSIDE-NAT
nat (INSIDE-INTERFACE,OUTSIDE) dynamic
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Result:
input-interface: <Inside-interface>
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide