Beginer NAT question

Gordon Ross · ‎03-08-2012

I've got an ASA 5510 running 8.4

I have a host on an inside interface, with a static NAT configured on the ASA. The inbound/return half of the NAT doesn't appear to be working.

Config summary:

object network nat-test

host 192.168.100.98

access-list outside_in extended permit icmp any host 1.1.1.1

access-list outside_in extended permit tcp any host 1.1.1.1 eq ssh

object network nat-test

nat (phone-support,outside) static 1.1.1.1

access-group outside_in in interface outside

I run a ping from the host (192.168.100.98) to something on the outside (1.2.3.4)

Running captures, I can see the outbound ping leaving, having been NATed OK. I can see the reply coming back in to the outside interface with the correct IP address, but I never get the final NATed packet appear on the inside interface. The packet just disappears inside the ASA.

I'm sure I've had this before, but I can't for the life of me remember what was wrong.

Can anyone put me out of my misery ?

Thanks,

GTG

Please rate all helpful posts.

Gordon Ross · ‎03-08-2012

Sorted it:

object network nat-test

host 192.168.100.98

object network nat-test-outside

host 1.1.1.1

access-list outside_in extended permit icmp any object nat-test

access-list outside_in extended permit tcp any object nat-test eq ssh

object network nat-test

nat (inside,outside) source static nat-test nat-test-outside

access-group outside_in in interface outside

Basically, you have to use "objects" for both sides of the NAT, *AND* use the inside object on the ACL.

I always thought ACLs came before NAT...?

GTG

Please rate all helpful posts.

Kimberly Adams · ‎03-08-2012

GTG,

Yeah that is how it use to be in OS versions earlier then 8.3. Now they require the object-groups and is a little different.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.