Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3020
Views
0
Helpful
11
Replies

basic nat not working

Go to solution
Alex Mendez
Level 1
Level 1

‎05-25-2012 09:08 PM - edited ‎03-11-2019 04:12 PM

I am trying to set up a basic configuration and cant figure out why nat is not working. 

my  outside vlan 2 ping public ip address

my inside  vlan 1 does not ping anything public ,

i have

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

not sure why it does not work. do I need acls?

Pleaes see my config attached

Labels:
128769-asaconfig.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alex Mendez

‎06-01-2012 10:22 AM

Hello Alex,

Thanks for letting us know the solution 

Please mark the question as answered so future users can learn from the same issue you had.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-25-2012 09:20 PM

Please add inspect icmp:

policy-map global_policy

class inspection_default

     inspect icmp

0 Helpful

Go to solution
Alex Mendez
Level 1
Level 1
In response to Jennifer Halim

‎05-25-2012 09:31 PM

Hi Jennifer thank you

my that did not fix my issue.  I can ping my inside hosts from the ASA without specifying an interface and I can ping public ip addresses without specifying an interface

It appears my internal hosts cant reach the internet ,  if i try to ping 208.67.222.222( public dns) from my internal host 192.168.1.20,( server,)  i get no response. 

any ideas?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alex Mendez

‎05-25-2012 09:36 PM

Hello Alex,

Can you provide us the Ipconfig from your PC.

As Jennifer stated you were missing the ICMP stateful inspection, now that you have it you should be able to ping it.

Also provide us the following:

packet-tracer input inside icmp 192.168.1.20 8 0 4.2.2.2

Also add the following capture

capture asp type asp-drop all

Then try to ping from your PC  to 4.2.2.2 and finally provide us the output of :

show capture asp | include 4.2.2.2

Regards,

Julio

Security Engineer

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alex Mendez
Level 1
Level 1
In response to Julio Carvajal

‎05-26-2012 06:32 AM

Hi Julio ,t hanks for responding,  attached is my  packet-tracert configuration

packet tracert output

packet-tracer input  inside icmp 192.168.1.20 8 0 4.2.2$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

  match ip inside 192.168.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 ( [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.1.20/0 to /4 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

  match ip inside 192.168.1.0 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

( is this  the issue here?)

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 71, packet dispatched to next module

Phase: 12

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop using egress ifc outside

adjacency Active

next-hop mac address 0026.f324.ba24 hits 294

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

0 Helpful

Go to solution
Alex Mendez
Level 1
Level 1
In response to Alex Mendez

‎05-26-2012 06:47 AM

Here is my show nat

show nat

NAT policies on Interface inside:

  match ip inside 192.168.1.0 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside 192.168.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 ( [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

  match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

0 Helpful

Go to solution
Alex Mendez
Level 1
Level 1
In response to Julio Carvajal

‎05-26-2012 06:58 AM

THe ipconfig on my linux server is

192.168.1.20

255.255.255.0

192.168.1.1 (cisco asa)

dns 208.67.222.222

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alex Mendez

‎05-26-2012 02:37 PM

Hello Alex,

As you marked on the packet tracer that is the issue, there is no translation for those packets..

You are running a very old version but I have not see any bugs related to the ASA to apply the proper translation when the protocol its ICMP...

Is it possible that you could do a hard reload, if this does not solve it I will look into our database for a bug or something related to this odd behavior,

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alex Mendez
Level 1
Level 1

‎06-01-2012 10:12 AM

Hi All - thanks for responding,  i fixed the issue by upgrading to asa843.   I then configured nat with the following an d poof! it worke.  

object network  obj-

nat (inside,outside) dynamic interface  

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alex Mendez

‎06-01-2012 10:22 AM

Hello Alex,

Thanks for letting us know the solution 

Please mark the question as answered so future users can learn from the same issue you had.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alex Mendez
Level 1
Level 1
In response to Julio Carvajal

‎06-01-2012 11:00 AM

Thanks Julio - i do need help with acl issue, if you can take a look at that, i would appreciat it. Its a new thread,

0 Helpful

Go to solution
ccnpjobhunter
Level 1
Level 1
In response to Alex Mendez

‎06-01-2012 01:15 PM

Upgrade the asdm image too.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card