11-28-2023 12:52 AM
I am trying to use Static NAT to NAT my internal sever accessible from outside interface.
I am able to NAT the switch connected directly to ASA Firewall however it doesn’t work for device hanging off from that switch.
Am I doing something wrong?
I have drawn my topology here and also the ASA software version is 9.12
Solved! Go to Solution.
11-28-2023 06:03 AM
Ok' the server use fw as gw or svi of vlan in sw?
The server must use fw as gw.
MHM
11-28-2023 02:21 AM
Did you config acl to allow ping from outside to inside?
11-28-2023 02:33 AM
yes I applied access list to permit all traffic.
The other NAT entry for the directly connected switch to Firewall is working without any issues.
access-list PASS extended permit ip any any
access-group PASS in interface outside
access-group PASS out interface outside
11-28-2023 02:42 AM
From asa
Show nat
I need to see translate and untranslate count.
MHM
11-28-2023 04:54 AM
I don't have access to exact switches and firewalls but what I did was to replicate the same scenario in my EVE-NG lab and I noticed I have the same issue here so I must be doing something stupid.
Configurations:
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.15.82 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.0.203 255.255.255.0
!
object network AIMS
host 192.168.0.88
object network SWITCH
host 192.168.0.201
!
object network AIMS
nat (inside,outside) static 10.1.15.81
object network SWITCH
nat (inside,outside) static 10.1.15.83
!
access-list PASS extended permit ip any any
access-group PASS in interface outside
access-group PASS out interface outside
!
------------------------------------------
Verifications:
From PC:
ciscoasa# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.0.88 to outside:10.1.15.81
flags s idle 0:00:51 timeout 0:00:00
NAT from inside:192.168.0.201 to outside:10.1.15.83
flags s idle 0:06:20 timeout 0:00:00
ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static AIMS 10.1.15.81
translate_hits = 0, untranslate_hits = 16
2 (inside) to (outside) source static SWITCH 10.1.15.83
translate_hits = 1, untranslate_hits = 5
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list PASS; 1 elements; name hash: 0x69403060
access-list PASS line 1 extended permit ip any any (hitcnt=22) 0x7e6cca6f
11-28-2023 06:03 AM
Ok' the server use fw as gw or svi of vlan in sw?
The server must use fw as gw.
MHM
11-28-2023 07:16 PM
Yes, that was the issue - Its fixed after I changed GW to FW
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide