03-08-2012 09:01 AM - edited 03-11-2019 03:39 PM
I've got an ASA 5510 running 8.4
I have a host on an inside interface, with a static NAT configured on the ASA. The inbound/return half of the NAT doesn't appear to be working.
Config summary:
object network nat-test
host 192.168.100.98
access-list outside_in extended permit icmp any host 1.1.1.1
access-list outside_in extended permit tcp any host 1.1.1.1 eq ssh
object network nat-test
nat (phone-support,outside) static 1.1.1.1
access-group outside_in in interface outside
I run a ping from the host (192.168.100.98) to something on the outside (1.2.3.4)
Running captures, I can see the outbound ping leaving, having been NATed OK. I can see the reply coming back in to the outside interface with the correct IP address, but I never get the final NATed packet appear on the inside interface. The packet just disappears inside the ASA.
I'm sure I've had this before, but I can't for the life of me remember what was wrong.
Can anyone put me out of my misery ?
Thanks,
GTG
03-08-2012 02:40 PM
Sorted it:
object network nat-test
host 192.168.100.98
object network nat-test-outside
host 1.1.1.1
access-list outside_in extended permit icmp any object nat-test
access-list outside_in extended permit tcp any object nat-test eq ssh
object network nat-test
nat (inside,outside) source static nat-test nat-test-outside
access-group outside_in in interface outside
Basically, you have to use "objects" for both sides of the NAT, *AND* use the inside object on the ACL.
I always thought ACLs came before NAT...?
GTG
03-08-2012 03:06 PM
GTG,
Yeah that is how it use to be in OS versions earlier then 8.3. Now they require the object-groups and is a little different.
Thanks,
Kimberly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide