Hi Mike,

michael.wigginton1 · ‎03-15-2016

Hi,

Please can anyone offer any advise on the below issue I am having?

Inbound traffic on sub-interface is bypassing/ignoring the destination NAT rules. The NAT rules are setup to work with multiple interfaces and the NAT rules are working ok with direct connected interfaces, and only failing against sub-interface.

example:

interface Ethernet0/1
 no nameif
 no security-level
 no ip address

interface Ethernet0/1.61
 description Interface to Routers vlan61
 vlan 61
 nameif Rout-DMZ
 security-level 100
 ip address 172.30.45.30 255.255.255.240 standby 172.30.45.29


interface Ethernet0/2
 description Interface to monitoring vlan63
 nameif Mon_svrs
 security-level 50
 ip address 196.12.12.30 255.255.255.240 standby 196.12.12.29

interface Management0/0
 nameif ICONNECT
 security-level 10
 ip address 172.30.50.1 255.255.255.240 standby 172.30.50.2


object network NAT_00274_Real
 nat (ICONNECT,any) static NAT_00274_local

I tested inbound/outbound traffic working all ok to and from eth0/2 (Mon_svrs) >< Man0/0 (ICONNECT). Nat rule works ok. Tested same again from eth0/1.61 and NAT rule is ignored.

Deleted static host NAT rule. Applied new NAT rule against interface Rout-DMZ to ICONNECT and tested with same result. Modified new NAT rule and applied to "Mon-svrs" I/F. Nat rule worked ok. I continued with lots of NAT variations. Results the same.

Applied ASA code fix update from 9.1(6)6 to 9.1(6)11 due to known object NAT issue and VPN security fix. Retested multiple NAT configurations, but still with same results.

Aditya Ganjoo · ‎03-15-2016

Hi Mike,

Instead of having any keyword in the destination interface as in nat (ICONNECT,any) static NAT_00274_local can we try to be more specific ?

I have seen many times that this leads to NAT issues on the ASA.

Also how did you test the traffic ?

Did you use a packet tracer?

Regards,

Aditya

Please rate helpful posts.

ASA5510 - 9.1(6)11 Destination NAT not working from Trunk/sub interface

Hi,

Please can anyone offer any advise on the below issue I am having?

Inbound traffic on sub-interface is bypassing/ignoring the destination NAT rules. The NAT rules are setup to work with multiple interfaces and the NAT rules are working ok with direct connected interfaces, and only failing against sub-interface.

I tested inbound/outbound traffic working all ok to and from eth0/2 (Mon_svrs) >< Man0/0 (ICONNECT). Nat rule works ok. Tested same again from eth0/1.61 and NAT rule is ignored.

Deleted static host NAT rule. Applied new NAT rule against interface Rout-DMZ to ICONNECT and tested with same result. Modified new NAT rule and applied to "Mon-svrs" I/F. Nat rule worked ok. I continued with lots of NAT variations. Results the same.

Applied ASA code fix update from 9.1(6)6 to 9.1(6)11 due to known object NAT issue and VPN security fix. Retested multiple NAT configurations, but still with same results.