cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4267
Views
0
Helpful
24
Replies

Dynamic NAT configuration on Cisco ASA 5520

Dear Support,

 

I want to setup a dynamic NAT on my firewall Cisco ASA 5520. I make the configuration below, but I cannot access to internet. Can you help me please.

 

object network LTY_NAT
 subnet 192.168.176.0 255.255.248.0
object network HQ_NAT
 subnet 192.168.190.0 255.255.255.0
object network CAD_NAT
 subnet 192.168.140.0 255.255.255.0

 

object-group network ESN_NAT
 network-object object LTY_NAT
 network-object object HQ_NAT
 network-object object CAD_NAT

nat (any,outside) source dynamic ESN_NAT interface

 

My Cisco ASA is connected to the Inside interface(192.168.180.228) with this network 192.168.176.0 255.255.248.0 .

 

Thank in advance!

 

 

 

2 Accepted Solutions

Accepted Solutions

Hi,

Now , I think the traffic should be allowed for the Outbound internet.

Check it with the packet tracer again.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Hi,

You can put it in the same NAT statement combined.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

24 Replies 24

Dear Support,

 

When I try to ping internet I get this error message from Real Time log viewer

 

6May 03 201515:53:41302020192.168.182.4518.8.8.80Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.182.45/1 laddr 192.168.182.45/1

It seems NAT is not working correctly. The syslog 302020 says

Connection was built when you tried to ping 8.8.8.8 from 192.168.182.45.

 

faddr= Foreign address

gaddr (Global address)=NAT address of 192.168.182.45///This should have been the interlace IP address of ASA

laddr (Local address) of 192.168.181.45

 

Please try below step:-

1) Run packet tracer and see if NAT is being hit.

2) If packet-tracer shows NAT being hit try to do a "clear xlate" and then check.

 

Thanks

Pranay

ladd

Hi Pranay,

Thanks for your reply.

Below the results of packet tracer:

 

vpnserver# packet-tracer input outside rawip 192.168.180.100 ?

  <0-255>  Enter the ip protocol id/next header
vpnserver# packet-tracer input outside rawip 192.168.180.100 25
ERROR: % Incomplete command
vpnserver# packet-tracer input outside rawip 192.168.180.100 25 ?

  A.B.C.D  Enter the destination ipv4 address
vpnserver# packet-tracer input outside rawip 192.168.180.100 25 8.8.8.8

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (any,outside) source dynamic ESN_NAT interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

vpnserver#

Hi,

The Packet Trace which you executed is incorrect.

As per the NAT statement , you need to use the LAN interface(inside) interface as the ingress interface for the traffic.

Use option "tcp" instead of "rawip" and then you would be able to see the source and destination ports.

Use this for reference:-

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,

Thank for your reply.

Below the results. But the NAT and access list chosen by the command packet-tracer is not that I have created for the NAT.

My NAT configuration is:

object network LTY_NAT
 subnet 192.168.176.0 255.255.248.0
object network HQ_NAT
 subnet 192.168.190.0 255.255.255.0
object network CAD_NAT
 subnet 192.168.140.0 255.255.255.0

 

object-group network ESN_NAT
 network-object object LTY_NAT
 network-object object HQ_NAT
 network-object object CAD_NAT

nat (any,outside) source dynamic ESN_NAT interface

 

vpnserver# packet-tracer input inside tcp 192.168.180.100 53 8.8.8.8 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 103 in interface inside
access-list 103 extended permit ip any any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote
_LAN Remote_LAN
Additional Information:
Static translate 192.168.180.100/53 to 192.168.180.100/53

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 177738, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

vpnserver#

Hi,

This is the issue. If you check the NAT phase:- 6 , it is using a different NAT statement.

The problem is i suspect the Remote_LAN is containing Subnet which is also causing all the traffic to the internet IP addresses to be using this NAT which is acting like a NONAT or not translating the IP addresses to the interface.

Can you post the output of this Object:- Remote_LAN

Thanks and Regards,

Vibhor Amrodia

 

nat (inside,outside) source static Local_LAN Local_LAN destination static Remote
_LAN Remote_LAN - See more at: https://supportforums.cisco.com/discussion/12497401/dynamic-nat-configuration-cisco-asa-5520#sthash.lhjx4X6z.dpuf
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote
_LAN Remote_LAN - See more at: https://supportforums.cisco.com/discussion/12497401/dynamic-nat-configuration-cisco-asa-5520#sthash.lhjx4X6z.dpuf

Hi Vibhor Amrodia,

Thanks!

The object Remote_LAN contains only this subnetwork:

object network Remote_LAN
 subnet 0.0.0.0 0.0.0.0

 

Ramatoulaye HANE

Hi,

This is the issue. This NAT is probably for the VPN traffic and to prevent it from being natted.

If you are using VPN , use specific Remote Subnets or if you are not using VPN , remove this NAT.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,

I use these NAT for SSL VPN

object-group network Local_LAN
 network-object 192.168.140.0 255.255.255.0
 network-object 192.168.130.0 255.255.255.0
 network-object 192.168.190.0 255.255.255.0
 network-object 10.71.121.0 255.255.255.0
 network-object 10.71.124.0 255.255.255.0
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.200.0 255.255.255.0
 network-object 192.168.170.0 255.255.255.0
 network-object 192.168.176.0 255.255.248.0
 network-object 10.71.0.0 255.255.0.0
 network-object 172.28.11.0 255.255.255.0
 network-object 172.28.13.0 255.255.255.0

object network Remote_LAN
 subnet 0.0.0.0 0.0.0.0

So, which network I can specify for this object network Remote_LAN?

Ramatoulaye HANE

Hi,

You need to create an object-group with all these networks in it and replace the 0.0.0.0 from the object.

You would not be able to use object for multiple subnets and hence us object group and call it using the NAT statement.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,

Can you give me an example, because I don't understand what you say. Or I must create local network and remote network with the same network objects.

 

 

Hi,

So , to be clear , answer this query for me:-

Local Subnets:-

Ip local Pool for the SSL VPN:-

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,

Local Subnets: 192.168.176.0/21, 192.168.190.0/24, 192.168.140.0/24, 192.168.170.0/24

Ip local Pool for the SSL VPN: ip local pool esn 192.168.182.150-192.168.182.199 mask 255.255.248.0

 

Thanks!

Ramatoulaye HANE

 

Hi,

In this case , you would need this configuration:-

object-group network LOCAL-SUBNETS

network-object 192.168.176.0 255.255.224.0

network-object 192.168.190..0 255.255.255.0

 network-object 192.168.140.0 255.255.255.0

network-object 192.168.170.0 255.255.255.0

Object network Anyconnect

subnet 192.168.182.0 255.255.248.0

nat (inside.outside) source static LOCAL-SUBNETS LOCAL-SUBNETS destination static Anyconnect Anyconnect

Thanks and Regards,

Vibhor Amrodia

nat (inside,outside) source static Local_LAN Local_LAN destination static Remote
_LAN Remote_LAN - See more at: https://supportforums.cisco.com/discussion/12497401/dynamic-nat-configuration-cisco-asa-5520#sthash.yOdDxL5q.dpuf
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: