Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3783
Views
0
Helpful
8
Replies

Cisco ASA (8.6) pat-pool not working for dynamic NAT.

Go to solution
ashabe003
Level 1
Level 1

‎12-15-2015 01:28 AM - edited ‎03-12-2019 12:02 AM

In Cisco ASA (5515, 8.6), NAT is working only for outside interface but when I configured NAT using Public-IP pool, it didn’t translate the local IP.

Like –

interface GigabitEthernet0 
nameif inside 
security-level 100
ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet1
 nameif outside
 security-level 0
ip address 120.122.50.2 255.255.255.252
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network LAN-USER 
range 192.168.150.0 192.168.150.100
!
object network Public-IP-Pool
range 110.80.20.2 110.80.20.3
!
access-list OUT-IN extended permit ip any any
access-list IN-OUT extended permit ip any any
!
access-group IN-OUT in interface inside
access-group OUT-IN in interface outside
!
route outside 0.0.0.0 0.0.0.0 120.122.50.1
route inside 192.168.150.0 255.255.255.0 10.10.10.2
!
nat (inside,outside) source dynamic LAN-USER interface
!

Above NAT configuration is working fine but when try to use Public-IP pool its not working, like -

nat (inside,outside) source dynamic LAN-USER pat-pool Public-IP-Pool

Troubleshooting steps was –

Remove existing NAT –

no nat (inside,outside) source dynamic LAN-USER interface
clear xlate
nat (inside,outside) source dynamic LAN-USER pat-pool Public-IP-Pool

Also tried, 

object network LAN-USER
range 192.168.150.0 192.168.150.100
!
object network Public-IP
host 110.80.20.4
!
nat (inside,outside) source dynamic LAN-USER Public-IP
Above configuration also not working.

Run packet-tracer command, showed all phase allowed.   

Any help would be greatly appreciated.

Thanks in advance.  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shivapramod M
Level 1
Level 1
In response to ashabe003

‎12-17-2015 01:31 AM

Hi,

It looks like the response is not coming back to ASA. The ICMp request is correctly transmitting by ASA with the correct NAT address but there is no response. 

Even if the firewall is dropping we should see the packets in the capture. Usually only hardware drops on the interface will not be captured in the capture. You may have to check the upstream devices. 

Since the PAT IP does not belong to the same subnet as the firewall interface this might be ARP issue. The command arp permit-nonconnected  is not available in 8.6

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/intro_intro.html#wp1325357

You can try to configure the NAT with the interface IP, if this works then it should be issue about arp itself and you may have to upgrade the device

object network LAN-USER
 nat (inside,outside) dynamic interface

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Shivapramod M
Level 1
Level 1

‎12-15-2015 05:24 PM

Hi,

This does not look like the configuration issue,

Can you provide the output of the packet tracer which is taken on CLI.

-packet-tracer in inside icmp 192.168.150.10 8 0 4.2.2.2 det

Also provide the output of the "show xlate"

Are you seeing any log in ASDM when you initiate the traffic from 192.168.150.0 subnet?

You can try to take the capture on inside and outside interface using real traffic to verify whether the ASA is passing the traffic or not.

cap capin int insde match icmp host <source IP> host <dest IP>

cap capout int outside match icmp any host <dest IP>

to view the captures "show cap capin" and "show cap capout"

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

Go to solution
ashabe003
Level 1
Level 1
In response to Shivapramod M

‎12-15-2015 09:38 PM

Hi Shivapramod M,

Thanks for your response.


Please find the attached file of packet-tracer output.

I apologize; I’m currently out of the office. Later I’ll provide you the “show xlate” output.

In time of initiate the traffic from 192.168.150.0 subnet, got ASDM log like –

“ Deny TCP reverse path check from 192.168.150.2 to 8.8.8.8 on interface outside “

Preview file
5 KB
0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to ashabe003

‎12-17-2015 06:46 AM

Hi,

It is an arp issue with mapped ip not in the same subnet as outside interface. Please add the route on next hop router for this mapped ip pointing towards ASA outside interface IP.  It is an ARP issue. The next hop has no arp entry or route to send the packet back to ASA.

Hope it helps.

Regards,

Akshay Rastogi

0 Helpful

Go to solution
ashabe003
Level 1
Level 1
In response to Shivapramod M

‎12-17-2015 01:17 AM

Hi 

Please find the attached logs file.

 And this time didn’t find any ASDM log.

Thanks.

Preview file
3 KB
Preview file
2 KB
Preview file
5 KB
Preview file
3 KB
0 Helpful

Go to solution
Shivapramod M
Level 1
Level 1
In response to ashabe003

‎12-17-2015 01:31 AM

Hi,

It looks like the response is not coming back to ASA. The ICMp request is correctly transmitting by ASA with the correct NAT address but there is no response. 

Even if the firewall is dropping we should see the packets in the capture. Usually only hardware drops on the interface will not be captured in the capture. You may have to check the upstream devices. 

Since the PAT IP does not belong to the same subnet as the firewall interface this might be ARP issue. The command arp permit-nonconnected  is not available in 8.6

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/intro_intro.html#wp1325357

You can try to configure the NAT with the interface IP, if this works then it should be issue about arp itself and you may have to upgrade the device

object network LAN-USER
 nat (inside,outside) dynamic interface

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

Go to solution
ashabe003
Level 1
Level 1
In response to Shivapramod M

‎12-17-2015 02:43 AM

Hi,
I already mention that NAT is working with interface IP for LAN-USER object but I want to use PAT IP or single Public IP for NAT translates.
I omitted point to point subnet IP and used same subnet for both interface and PAT IP but same result as before, dynamic interface is working but not PAT IP.
Maybe need to check the upstream devices. 
Thanks a lot for your time.
0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎12-15-2015 09:38 PM

Hi,

Please run the below command :

conf t)#arp permit-nonconnected

This command was added from version 8.4.5 for permitting arp request coming for non connected subnet:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a3.html#pgfId-1837762

 

The pool you are using for dynamic nat is in different subnet than Outside interface. You ASA Outside interface would not respond to the ARP query coming from Upstream Device.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful

Go to solution
ashabe003
Level 1
Level 1
In response to Akshay Rastogi

‎12-17-2015 01:21 AM

Hi ,

(conf ig)#arp permit-nonconnected 

This command is not working in my ASA (8.6). I think its not ARP related issue because dynamic NAT translation is working for interface like – 

# nat (inside,outside) source dynamic LAN-USER interface

 

But not working for Public-IP-Pool or single Public-IP. Configured that Public –IP in workstation which want to use for NAT translate and its working.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card