05-03-2015 08:54 AM - edited 03-11-2019 10:52 PM
Dear Support,
I want to setup a dynamic NAT on my firewall Cisco ASA 5520. I make the configuration below, but I cannot access to internet. Can you help me please.
object network LTY_NAT
subnet 192.168.176.0 255.255.248.0
object network HQ_NAT
subnet 192.168.190.0 255.255.255.0
object network CAD_NAT
subnet 192.168.140.0 255.255.255.0
object-group network ESN_NAT
network-object object LTY_NAT
network-object object HQ_NAT
network-object object CAD_NAT
nat (any,outside) source dynamic ESN_NAT interface
My Cisco ASA is connected to the Inside interface(192.168.180.228) with this network 192.168.176.0 255.255.248.0 .
Thank in advance!
Solved! Go to Solution.
05-04-2015 06:57 AM
Hi,
Now , I think the traffic should be allowed for the Outbound internet.
Check it with the packet tracer again.
Thanks and Regards,
Vibhor Amrodia
05-05-2015 08:25 PM
Hi,
You can put it in the same NAT statement combined.
Thanks and Regards,
Vibhor Amrodia
05-03-2015 09:02 AM
Dear Support,
When I try to ping internet I get this error message from Real Time log viewer
6 | May 03 2015 | 15:53:41 | 302020 | 192.168.182.45 | 1 | 8.8.8.8 | 0 | Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.182.45/1 laddr 192.168.182.45/1 |
05-03-2015 10:42 AM
It seems NAT is not working correctly. The syslog 302020 says
Connection was built when you tried to ping 8.8.8.8 from 192.168.182.45.
faddr= Foreign address
gaddr (Global address)=NAT address of 192.168.182.45///This should have been the interlace IP address of ASA
laddr (Local address) of 192.168.181.45
Please try below step:-
1) Run packet tracer and see if NAT is being hit.
2) If packet-tracer shows NAT being hit try to do a "clear xlate" and then check.
Thanks
Pranay
05-03-2015 11:55 AM
Hi Pranay,
Thanks for your reply.
Below the results of packet tracer:
vpnserver# packet-tracer input outside rawip 192.168.180.100 ?
<0-255> Enter the ip protocol id/next header
vpnserver# packet-tracer input outside rawip 192.168.180.100 25
ERROR: % Incomplete command
vpnserver# packet-tracer input outside rawip 192.168.180.100 25 ?
A.B.C.D Enter the destination ipv4 address
vpnserver# packet-tracer input outside rawip 192.168.180.100 25 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (any,outside) source dynamic ESN_NAT interface
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
vpnserver#
05-03-2015 08:39 PM
Hi,
The Packet Trace which you executed is incorrect.
As per the NAT statement , you need to use the LAN interface(inside) interface as the ingress interface for the traffic.
Use option "tcp" instead of "rawip" and then you would be able to see the source and destination ports.
Use this for reference:-
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia
05-04-2015 03:28 AM
Hi Vibhor Amrodia,
Thank for your reply.
Below the results. But the NAT and access list chosen by the command packet-tracer is not that I have created for the NAT.
My NAT configuration is:
object network LTY_NAT
subnet 192.168.176.0 255.255.248.0
object network HQ_NAT
subnet 192.168.190.0 255.255.255.0
object network CAD_NAT
subnet 192.168.140.0 255.255.255.0
object-group network ESN_NAT
network-object object LTY_NAT
network-object object HQ_NAT
network-object object CAD_NAT
nat (any,outside) source dynamic ESN_NAT interface
vpnserver# packet-tracer input inside tcp 192.168.180.100 53 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 103 in interface inside
access-list 103 extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote
_LAN Remote_LAN
Additional Information:
Static translate 192.168.180.100/53 to 192.168.180.100/53
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 177738, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
vpnserver#
05-04-2015 03:42 AM
Hi,
This is the issue. If you check the NAT phase:- 6 , it is using a different NAT statement.
The problem is i suspect the Remote_LAN is containing Subnet which is also causing all the traffic to the internet IP addresses to be using this NAT which is acting like a NONAT or not translating the IP addresses to the interface.
Can you post the output of this Object:- Remote_LAN
Thanks and Regards,
Vibhor Amrodia
05-04-2015 04:15 AM
Hi Vibhor Amrodia,
Thanks!
The object Remote_LAN contains only this subnetwork:
object network Remote_LAN
subnet 0.0.0.0 0.0.0.0
Ramatoulaye HANE
05-04-2015 04:24 AM
Hi,
This is the issue. This NAT is probably for the VPN traffic and to prevent it from being natted.
If you are using VPN , use specific Remote Subnets or if you are not using VPN , remove this NAT.
Thanks and Regards,
Vibhor Amrodia
05-04-2015 04:43 AM
Hi Vibhor Amrodia,
I use these NAT for SSL VPN
object-group network Local_LAN
network-object 192.168.140.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.190.0 255.255.255.0
network-object 10.71.121.0 255.255.255.0
network-object 10.71.124.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.170.0 255.255.255.0
network-object 192.168.176.0 255.255.248.0
network-object 10.71.0.0 255.255.0.0
network-object 172.28.11.0 255.255.255.0
network-object 172.28.13.0 255.255.255.0
object network Remote_LAN
subnet 0.0.0.0 0.0.0.0
So, which network I can specify for this object network Remote_LAN?
Ramatoulaye HANE
05-04-2015 05:06 AM
Hi,
You need to create an object-group with all these networks in it and replace the 0.0.0.0 from the object.
You would not be able to use object for multiple subnets and hence us object group and call it using the NAT statement.
Thanks and Regards,
Vibhor Amrodia
05-04-2015 05:12 AM
Hi Vibhor Amrodia,
Can you give me an example, because I don't understand what you say. Or I must create local network and remote network with the same network objects.
05-04-2015 05:17 AM
Hi,
So , to be clear , answer this query for me:-
Local Subnets:-
Ip local Pool for the SSL VPN:-
Thanks and Regards,
Vibhor Amrodia
05-04-2015 05:32 AM
Hi Vibhor Amrodia,
Local Subnets: 192.168.176.0/21, 192.168.190.0/24, 192.168.140.0/24, 192.168.170.0/24
Ip local Pool for the SSL VPN: ip local pool esn 192.168.182.150-192.168.182.199 mask 255.255.248.0
Thanks!
Ramatoulaye HANE
05-04-2015 05:45 AM
Hi,
In this case , you would need this configuration:-
object-group network LOCAL-SUBNETS
network-object 192.168.176.0 255.255.224.0
network-object 192.168.190..0 255.255.255.0
network-object 192.168.140.0 255.255.255.0
network-object 192.168.170.0 255.255.255.0
Object network Anyconnect
subnet 192.168.182.0 255.255.248.0
nat (inside.outside) source static LOCAL-SUBNETS LOCAL-SUBNETS destination static Anyconnect Anyconnect
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide