cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
987
Views
1
Helpful
6
Replies

Cisco ASA Static NAT Issue with Server not connected directly to ASA

Atif Masood
Level 1
Level 1

I am trying to use Static NAT to NAT my internal sever accessible from outside interface.
I am able to NAT the switch connected directly to ASA Firewall however it doesn’t work for device hanging off from that switch.
Am I doing something wrong?

I have drawn my topology here and also the ASA software version is 9.12

Firewall NAT Issue.png

1 Accepted Solution

Accepted Solutions

Ok' the server use fw as gw or svi of vlan in sw?

The server must use fw as gw.

MHM

View solution in original post

6 Replies 6

Did you config acl to allow ping from outside to inside?

yes I applied access list to permit all traffic.
The other NAT entry for the directly connected switch to Firewall is working without any issues.

access-list PASS extended permit ip any any
access-group PASS in interface outside
access-group PASS out interface outside

From asa 

Show nat 

I need to see translate and untranslate count.

MHM

I don't have access to exact switches and firewalls but what I did was to replicate the same scenario in my EVE-NG lab and I noticed I have the same issue here so I must be doing something stupid.

Configurations:
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.15.82 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.0.203 255.255.255.0
!
object network AIMS
host 192.168.0.88
object network SWITCH
host 192.168.0.201
!
object network AIMS
nat (inside,outside) static 10.1.15.81
object network SWITCH
nat (inside,outside) static 10.1.15.83
!
access-list PASS extended permit ip any any
access-group PASS in interface outside
access-group PASS out interface outside
!

------------------------------------------

Verifications:
From PC:

ciscoasa# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.0.88 to outside:10.1.15.81
flags s idle 0:00:51 timeout 0:00:00
NAT from inside:192.168.0.201 to outside:10.1.15.83
flags s idle 0:06:20 timeout 0:00:00

ciscoasa# show nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static AIMS 10.1.15.81
translate_hits = 0, untranslate_hits = 16
2 (inside) to (outside) source static SWITCH 10.1.15.83
translate_hits = 1, untranslate_hits = 5


ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list PASS; 1 elements; name hash: 0x69403060
access-list PASS line 1 extended permit ip any any (hitcnt=22) 0x7e6cca6f 

 

 

Ok' the server use fw as gw or svi of vlan in sw?

The server must use fw as gw.

MHM

Atif Masood
Level 1
Level 1

Yes, that was the issue - Its fixed after I changed GW to FW
Thanks for your help.

Review Cisco Networking for a $25 gift card