08-14-2013 06:46 PM - edited 03-11-2019 07:25 PM
Hi Everyone,
If i do Auto NAT from DMZ interface to outside interface using config below
object network Auto_NAT
subnet 192.168.70.0 255.255.255.0 *********************DMZ subnet
description Auto NAT DMZ Interface
object network Outside_pool
range 192.168.51.3 192.168.51.100
object network Auto_NAT
nat (DMZ,outside) dynamic Outside_pool
My outside interface has IP of 192.168.71.2
I am unable to access the internet using above config
when i change the range in outside_pool to 192.168.71.3 192.168.71.100 i am able to access the internet.
Does this mean that using auto nat using dynamic NAT the outside pool range should be in same subnet as outside interface ip address?
Regards
MAhesh
Solved! Go to Solution.
08-15-2013 10:19 PM
Hello Mahesh,
But I mean that traffic is on the same subnet, I mean 70.3 to 70.1...
Can you share the configuration please Or you can email me the setup
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 08:58 AM
Hi Julio,
config is atatched under the original post.
Regards
Mahesh
08-16-2013 09:23 AM
Hello Mahesh,
Configuration looks good ( I did not see something wrong)
Add
fixup protocol icmp
cap capin interface inside match icmp any any eq 4.2.2.2
cap capout interface outside match icmp any any eq 4.2.2.2
Then ping from an inside PC to 4.2.2.2
and provide
show cap capin
show cap capout
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 09:35 AM
Hi Julio,
I will test that later today and will update you.
Yesterday i ran the packet capture when i did ping to 4.2.2.2 and i did show packet for inside interface it was 0 packets
but outside interface was showing some output.
I will do again today after putting the command fixup protocol icmp.
Regards
Mahesh
08-16-2013 12:26 PM
Hello Mahesh,
Then it would be a problem with the LAN as the traffic is not reaching the ASA, make sure the computers have the right default gateway.
Note: we are testing from a 10.x.x.x host right?
Let us know any update
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 04:38 PM
Hi Julio,
Below command does not work
ap capture interface DMZ match icmp any any eq 4.2.2.2
^
ERROR: % Invalid Hostname
Also i am behind the DMZ subnet 192.168.70.x
Also here is more info
ciscoasa# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa# ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=17
len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63
ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=18 len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63
ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=19 len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63
ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=20 len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63
ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=21 len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63
ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=22 len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63
ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=23 len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63
ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=24 len=32
ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.
Where 192.168.70.4 is PC IP
Thanks
Mahesh
08-16-2013 10:27 PM
Hello Mahesh,
I must have been really tired when I send the capture syntax lol. It's completely wrong.
It should be
cap capdmz interface dmz match icmp any host 4.2.2.2
cap capout interface outside match icmp any host 4.2.2.2
I am sorry
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 10:43 PM
Hi Julio,
Thanks for replying back
ciscoasa# sh cap capdmz
4 packets captured
1: 23:36:38.000350 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
2: 23:36:42.849779 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
3: 23:36:47.841860 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
4: 23:36:52.849428 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
4 packets shown
ciscoasa# sh cap capout
36 packets captured
1: 22:03:42.616057 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
2: 22:03:47.348538 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
3: 22:03:52.340741 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
4: 22:03:57.348233 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
5: 22:06:25.034544 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
6: 22:06:29.839144 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
7: 22:06:34.846864 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
8: 22:06:39.838854 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
9: 22:08:08.405313 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
10: 22:08:13.345929 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
11: 22:08:18.337842 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
12: 22:08:23.345486 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
13: 22:08:28.337491 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
14: 22:51:16.824237 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
15: 22:51:21.333799 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
16: 22:51:26.333066 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
17: 22:51:31.334409 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
18: 22:52:32.936276 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
19: 22:52:37.844743 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
20: 22:52:42.834734 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
21: 22:52:47.834185 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
22: 22:52:52.834307 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
23: 22:52:57.834643 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
24: 22:53:02.834917 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
25: 22:53:07.834246 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
26: 22:53:12.834536 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
27: 22:53:17.845979 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
28: 22:53:22.834154 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
29: 22:53:27.834475 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
30: 22:53:32.834780 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
31: 22:53:37.834078 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
32: 22:53:42.833422 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
33: 23:36:38.000671 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
34: 23:36:42.850084 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
35: 23:36:47.842104 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
36: 23:36:52.849733 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
36 packets shown
ciscoasa#
Regards
Mahesh
08-16-2013 11:06 PM
There are no packets comming back from the Switch.
Add the following to the ASA
arp permit-nonconnected
Can you share the show ip route from the Switch (I just need the entry for the 192.168.72.0)
also show arp | include 192.168.72.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 11:13 PM
Hi Julio,
Here is info
3550SMIA#show arp | include 192.168.72.56
3550SMIA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
S 192.168.72.0/24 [1/0] via 192.168.71.2
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/3] via 192.168.5.3, 5d02h, FastEthernet0/11
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
S 192.168.77.0/24 [1/0] via 192.168.10.2
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O E2 172.31.2.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O E2 172.31.1.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O E2 172.31.0.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 5d02h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
C 192.168.20.0/24 is directly connected, Vlan20
192.168.5.0/31 is subnetted, 1 subnets
C 192.168.5.2 is directly connected, FastEthernet0/11
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11
S 192.168.69.0/24 [1/0] via 192.168.10.2
C 192.168.71.0/24 is directly connected, FastEthernet0/22
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 5d02h, FastEthernet0/11
3550SMIA#
Regards
MAhesh
08-16-2013 11:21 PM
Hello.
Do the following on the ASA side
arp permit non-connected and then try again
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 11:26 PM
No luck
08-16-2013 11:32 PM
Hello,
At the moment, the only thing that I could possibly think of is make sure that the router 192.168.5.3 has a route to the 192.168.72 subnet and that it's also Natting this Subnet range
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 11:41 PM
Hi Julio,
Seems adding static route did the magic to the router
2691Router(config)#ip route 192.168.72.0 255.255.255.0 192.168.5.2
2691Router(config)#end
2691Router#
Now i can access the internet from pc and also ping works fine.
Can you tell how adding route to router made the difference?
Regards
MAhesh
08-17-2013 12:02 AM
Hello Mahesh,
Well basically:
Long troubleshooting Mahesh But we did it.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide