05-25-2012 09:08 PM - edited 03-11-2019 04:12 PM
I am trying to set up a basic configuration and cant figure out why nat is not working.
my outside vlan 2 ping public ip address
my inside vlan 1 does not ping anything public ,
i have
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
not sure why it does not work. do I need acls?
Pleaes see my config attached
Solved! Go to Solution.
06-01-2012 10:22 AM
Hello Alex,
Thanks for letting us know the solution
Please mark the question as answered so future users can learn from the same issue you had.
Regards,
Julio
05-25-2012 09:20 PM
Please add inspect icmp:
policy-map global_policy
class inspection_default
inspect icmp
05-25-2012 09:31 PM
Hi Jennifer thank you
my that did not fix my issue. I can ping my inside hosts from the ASA without specifying an interface and I can ping public ip addresses without specifying an interface
It appears my internal hosts cant reach the internet , if i try to ping 208.67.222.222( public dns) from my internal host 192.168.1.20,( server,) i get no response.
any ideas?
05-25-2012 09:36 PM
Hello Alex,
Can you provide us the Ipconfig from your PC.
As Jennifer stated you were missing the ICMP stateful inspection, now that you have it you should be able to ping it.
Also provide us the following:
packet-tracer input inside icmp 192.168.1.20 8 0 4.2.2.2
Also add the following capture
capture asp type asp-drop all
Then try to ping from your PC to 4.2.2.2 and finally provide us the output of :
show capture asp | include 4.2.2.2
Regards,
Julio
Security Engineer
Do rate all the helpful posts
05-26-2012 06:32 AM
Hi Julio ,t hanks for responding, attached is my packet-tracert configuration
packet tracert output
packet-tracer input inside icmp 192.168.1.20 8 0 4.2.2$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.20/0 to
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
( is this the issue here?)
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 71, packet dispatched to next module
Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop
adjacency Active
next-hop mac address 0026.f324.ba24 hits 294
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
05-26-2012 06:47 AM
Here is my show nat
show nat
NAT policies on Interface inside:
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (
translate_hits = 1, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
05-26-2012 06:58 AM
THe ipconfig on my linux server is
192.168.1.20
255.255.255.0
192.168.1.1 (cisco asa)
dns 208.67.222.222
05-26-2012 02:37 PM
Hello Alex,
As you marked on the packet tracer that is the issue, there is no translation for those packets..
You are running a very old version but I have not see any bugs related to the ASA to apply the proper translation when the protocol its ICMP...
Is it possible that you could do a hard reload, if this does not solve it I will look into our database for a bug or something related to this odd behavior,
Regards,
Julio
Rate all the helpful posts
06-01-2012 10:12 AM
Hi All - thanks for responding, i fixed the issue by upgrading to asa843. I then configured nat with the following an d poof! it worke.
object network obj-
nat (inside,outside) dynamic interface
Thanks
06-01-2012 10:22 AM
Hello Alex,
Thanks for letting us know the solution
Please mark the question as answered so future users can learn from the same issue you had.
Regards,
Julio
06-01-2012 11:00 AM
Thanks Julio - i do need help with acl issue, if you can take a look at that, i would appreciat it. Its a new thread,
06-01-2012 01:15 PM
Upgrade the asdm image too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide