Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
5
Replies

Dual Outside / Single Inside NAT on 5550 8.2

universal
Level 1
Level 1

‎12-23-2013 12:49 PM - edited ‎03-11-2019 08:21 PM

Hoping someone can help me figure this one out...

Inside GE0/0 M.M.M.M---------------ASA-----------------Outside N GE1/0 N.N.N.N

                                                         ----------------Outside P GE1/1 P.P.P.P

Global (Outside N) 1 interface

Global (Outside P) 2 interface

Nat (Inside) 1 0.0.0.0 0.0.0.0

route Outside N    0.0.0.0     0.0.0.0                  N.N.N.1

route Inside          M.M.M.M 255.255.255.255    M.M.M.1

route Outside P    P.P.P.P   255.255.0.0           P.P.P.1

static (Inside, Outside N) N.N.N.X    M.M.M.X  netmask 255.255.255.255 - this one works fine

static (Inside, Outside P) P.P.P.X    M.M.M.X  netmask 255.255.255.255 - this one does NOT work

dynamc (ping) from M.M.M.X to P.P.P.X does not work

In the log, I am getting a "portmap translation creation failed for icmp src" Inside dst Outside P

On show nat I see this...

match IP Inside any Outside P any

   dynamic translation to pool 1 (No matching global)

   translate_hits = 482, untranslate_hits = 0

Help :-(


Ed

Labels:
0 Helpful
5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

‎12-23-2013 04:09 PM

You have a global for P, but not a NAT. See if you can add-

nat (Inside) 2 0 0

0 Helpful

universal
Level 1
Level 1
In response to Collin Clark

‎12-24-2013 06:45 AM

CLI says "Duplicate NAT Entry"

Its a shared inside interface for both outside interfaces, that is what is throwing me for a loop.  One idea I have it to create a second physical connection on the inside, use the ASA just as two firewalls in one and move the routing back to the core switch (4510).

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to universal

‎12-24-2013 09:16 AM

Share the entire configuration to see what is missing cause I also tough what Collin suggested was the issue

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to universal

‎12-24-2013 09:21 AM

So you're running an ACTIVE/ACTIVE failover with two ASA's? Any you have shared interfaces for both 'inside' and 'outside'?

0 Helpful

universal
Level 1
Level 1

‎12-27-2013 07:33 AM

Single firewall with links from one internal private network to two external private networks.

End result seems to be that the ASA cannot do the VRF routing that is needed for this application.  I moved the routing point back to the 4510 core and just used the ASA as two independent NAT/Firewalls and it is working now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card