Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
0
Helpful
1
Replies

ASA Static NAT

pemasirid
Level 1
Level 1

‎07-31-2011 10:54 AM - edited ‎03-11-2019 02:06 PM

Hi,

I'm having a strange issue and appreciate if anyone have faced simillar issue and got some solution/workaround.

I have static nat (inside,outside) and allowed all the required ports accessing from outside via ACL applied on outisde interface in direction. firewall nat-control is enabled. when I tried packet tracer i got the attached output. (step 8, nat-exeception - Drop). However when I change the inside ip (which is already having static nat entry with outside, but just for testing) it worked..? I have required routing, gateway for inside server is the firewall inside, no any host routes in the inside server in question.

The issue I see here is that when ever you used new static entry it does not work..???? has anyone faced simillar problem and can get some idea..?

Attached file contain the relevant configuraiton and packet tracer output for working and non working IPs (working IP inside is 172.16.1.125 and non working ip is 172.28.1.196).

thanks

Labels:
110846-pix issue.txt.zip
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎08-05-2011 08:25 AM

Hello,

The connection to 172.16.125.25 fails because of the NAT RPF check. This check requires that the forward flow (client -> server) matches the same NAT rules as the reverse flow (server -> client). You should double check your NAT rules and see which ones match for when 172.28.1.196 talks to 172.16.65.48. If you have trouble spotting the overlap, please share a sanitized copy of 'show run nat', 'show run global', and 'show run static'.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card