Glad to help. Please rate and - Page 2

fisherman0302 · ‎05-02-2017

We are having issues with communication between private networks using a Cisco ASA 5505. When we do a packet tracer we receive the following error.

no nat (inside) 0 access-list inside_nat0_outbound
no nat (ASSR-TRSR) 0 access-list inside1_nat0_outbound
nat (inside) 0 access-list inside1_nat0_outbound
nat (ASSR-TRSR) 0 access-list inside_nat0_outbound

We are trying to allow communication between the ASSR-TRSR network (192.168.100.x) and the inside (192.168.0.1/23)

Here is the config:

Result of the command: "sho run"

: Saved
:
ASA Version 7.2(4)
!
hostname BlaineCountyASA
domain-name default.domain.invalid
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 64.250.198.160 255.255.255.0
!
interface Vlan4
nameif inside
security-level 100
ip address 192.168.1.1 255.255.254.0
!
interface Vlan6
nameif ASSR-TRSR
security-level 100
ip address 192.168.100.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 6
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 4
!
interface Ethernet0/6
switchport access vlan 4
!
interface Ethernet0/7
switchport access vlan 4
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PC_Anywhere tcp-udp
description PC Anywhere
port-object eq 5630
port-object eq 5631
access-list 101 extended permit tcp host 64.250.192.5 any eq ssh
access-list 101 extended permit tcp host 208.87.239.180 any eq ssh
access-list 101 extended permit tcp host 65.255.81.200 any eq ssh inactive
access-list 101 extended permit tcp host 65.255.81.202 any eq ssh inactive
access-list 101 extended permit tcp any any eq www
access-list 101 extended permit tcp any any eq 59002
access-list 101 extended permit udp any any eq 59002
access-list 101 extended permit ip any host 64.250.198.162 inactive
access-list 101 extended permit tcp any any eq 3389
access-list 101 extended permit tcp any host 64.250.198.161 eq pcanywhere-data
access-list 101 extended permit tcp 64.250.194.240 255.255.255.248 any eq telnet
access-list 101 extended permit ip any any
access-list 101 extended permit tcp host 64.250.192.5 any eq 8080
access-list 101 extended permit tcp host 64.250.192.5 any eq telnet
access-list Pioneer_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 192.168.1.180 255.255.255.252
access-list inside_nat0_outbound extended permit ip 10.250.50.0 255.255.255.0 10.250.50.200 255.255.255.248
access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.180 255.255.255.252
access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.176 255.255.255.240
access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list BC-Management_splitTunnelAcl standard permit 10.250.50.0 255.255.255.0
access-list Pioneer_splitTunnelAcl_1 standard permit host 192.168.1.254
access-list Pioneer_splitTunnelAcl_2 standard permit host 192.168.1.254
access-list Pioneer1_splitTunnelAcl standard permit any
access-list Pioneer1_splitTunnelAcl_1 standard permit any
access-list ASSR-TRSR_access_in extended permit ip any any
access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ASSR-TRSR 1500
ip local pool pioneer 192.168.1.200-192.168.1.210 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface ASSR-TRSR
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside1_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ASSR-TRSR) 0 access-list inside_nat0_outbound
nat (ASSR-TRSR) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 64.250.198.161 ssh 192.168.1.254 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.100.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 59002 192.168.1.15 59002 netmask 255.255.255.255
static (inside,outside) udp interface 59002 192.168.1.15 59002 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255
static (inside,outside) tcp 64.250.198.161 pcanywhere-data 192.168.1.201 pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.254 8080 netmask 255.255.255.255
static (inside,outside) udp 64.250.198.161 pcanywhere-status 192.168.1.201 pcanywhere-status netmask 255.255.255.255
access-group 101 in interface outside
access-group ASSR-TRSR_access_in in interface ASSR-TRSR
route outside 0.0.0.0 0.0.0.0 64.250.198.1 1
route inside 10.250.50.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 64.250.192.0 255.255.255.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 64.250.194.240 255.255.255.248 outside
ssh 65.255.81.200 255.255.255.255 outside
ssh 65.255.81.202 255.255.255.255 outside
ssh 64.250.192.0 255.255.255.0 outside
ssh 208.87.239.180 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 64.250.192.64 64.250.192.65
!
dhcpd address 192.168.1.50-192.168.1.175 inside
dhcpd enable inside
!
dhcpd address 192.168.100.75-192.168.100.99 ASSR-TRSR
dhcpd enable ASSR-TRSR
!

group-policy Pioneer internal
group-policy Pioneer attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pioneer_splitTunnelAcl_2
group-policy Pioneer_1 internal
group-policy Pioneer_1 attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
group-policy Pioneer1 internal
group-policy Pioneer1 attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pioneer1_splitTunnelAcl
group-policy Pioneer1_1 internal
group-policy Pioneer1_1 attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pioneer1_splitTunnelAcl_1
tunnel-group Pioneer1 type ipsec-ra
tunnel-group Pioneer1 general-attributes
address-pool pioneer
default-group-policy Pioneer1_1
tunnel-group Pioneer1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dd1e0721f6454745145f0dbf3612bff2
: end

Result of the command: "sho run"

: Saved
:
ASA Version 7.2(4)
!
hostname BlaineCountyASA
domain-name default.domain.invalid
enable password WhhvJPvpKzk5zzOx encrypted
passwd bKTsJf.2KSXdgiJu encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 64.250.198.160 255.255.255.0
!
interface Vlan4
nameif inside
security-level 100
ip address 192.168.1.1 255.255.254.0
!
interface Vlan6
nameif ASSR-TRSR
security-level 100
ip address 192.168.100.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 6
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 4
!
interface Ethernet0/6
switchport access vlan 4
!
interface Ethernet0/7
switchport access vlan 4
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PC_Anywhere tcp-udp
description PC Anywhere
port-object eq 5630
port-object eq 5631
access-list 101 extended permit tcp host 64.250.192.5 any eq ssh
access-list 101 extended permit tcp host 208.87.239.180 any eq ssh
access-list 101 extended permit tcp host 65.255.81.200 any eq ssh inactive
access-list 101 extended permit tcp host 65.255.81.202 any eq ssh inactive
access-list 101 extended permit tcp any any eq www
access-list 101 extended permit tcp any any eq 59002
access-list 101 extended permit udp any any eq 59002
access-list 101 extended permit ip any host 64.250.198.162 inactive
access-list 101 extended permit tcp any any eq 3389
access-list 101 extended permit tcp any host 64.250.198.161 eq pcanywhere-data
access-list 101 extended permit tcp 64.250.194.240 255.255.255.248 any eq telnet
access-list 101 extended permit ip any any
access-list 101 extended permit tcp host 64.250.192.5 any eq 8080
access-list 101 extended permit tcp host 64.250.192.5 any eq telnet
access-list Pioneer_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 192.168.1.180 255.255.255.252
access-list inside_nat0_outbound extended permit ip 10.250.50.0 255.255.255.0 10.250.50.200 255.255.255.248
access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.180 255.255.255.252
access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.176 255.255.255.240
access-list inside_nat0_outbound extended permit ip host 192.168.1.254 192.168.1.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list BlaineCountyCourthouse_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list BC-Management_splitTunnelAcl standard permit 10.250.50.0 255.255.255.0
access-list Pioneer_splitTunnelAcl_1 standard permit host 192.168.1.254
access-list Pioneer_splitTunnelAcl_2 standard permit host 192.168.1.254
access-list Pioneer1_splitTunnelAcl standard permit any
access-list Pioneer1_splitTunnelAcl_1 standard permit any
access-list ASSR-TRSR_access_in extended permit ip any any
access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ASSR-TRSR 1500
ip local pool pioneer 192.168.1.200-192.168.1.210 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface ASSR-TRSR
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside1_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ASSR-TRSR) 0 access-list inside_nat0_outbound
nat (ASSR-TRSR) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 64.250.198.161 ssh 192.168.1.254 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.100.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 59002 192.168.1.15 59002 netmask 255.255.255.255
static (inside,outside) udp interface 59002 192.168.1.15 59002 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255
static (inside,outside) tcp 64.250.198.161 pcanywhere-data 192.168.1.201 pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.254 8080 netmask 255.255.255.255
static (inside,outside) udp 64.250.198.161 pcanywhere-status 192.168.1.201 pcanywhere-status netmask 255.255.255.255
access-group 101 in interface outside
access-group ASSR-TRSR_access_in in interface ASSR-TRSR
route outside 0.0.0.0 0.0.0.0 64.250.198.1 1
route inside 10.250.50.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 64.250.192.0 255.255.255.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 64.250.194.240 255.255.255.248 outside
ssh 65.255.81.200 255.255.255.255 outside
ssh 65.255.81.202 255.255.255.255 outside
ssh 64.250.192.0 255.255.255.0 outside
ssh 208.87.239.180 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 64.250.192.64 64.250.192.65
!
dhcpd address 192.168.1.50-192.168.1.175 inside
dhcpd enable inside
!
dhcpd address 192.168.100.75-192.168.100.99 ASSR-TRSR
dhcpd enable ASSR-TRSR
!

group-policy Pioneer internal
group-policy Pioneer attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pioneer_splitTunnelAcl_2
group-policy Pioneer_1 internal
group-policy Pioneer_1 attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
group-policy Pioneer1 internal
group-policy Pioneer1 attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pioneer1_splitTunnelAcl
group-policy Pioneer1_1 internal
group-policy Pioneer1_1 attributes
dns-server value 64.250.192.64 64.250.192.65
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pioneer1_splitTunnelAcl_1
username guest password XCliFt2XshXZoRA9 encrypted
username sposterholt password boIS4rk/El4peTMY encrypted privilege 15
username jasanders password eoghszRiUaeEwUGS encrypted privilege 15
username jfreherman password yf0ptveeGqORs3H3 encrypted privilege 15
tunnel-group Pioneer1 type ipsec-ra
tunnel-group Pioneer1 general-attributes
address-pool pioneer
default-group-policy Pioneer1_1
tunnel-group Pioneer1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dd1e0721f6454745145f0dbf3612bff2
: end

Ajay Saini · ‎05-04-2017

This looks good. The actual traffic should work as well. I don't know what you tried earlier.

HTH

-AJ

jasanders · ‎05-05-2017

Looking better...we will update. Thanks so much for your assistance. I have issues working with the older pre-8.3 NAT stuff...

Judith

BlaineCountyASA# packet-tracer input inside tcp 192.168.1.5 3344 192.168.100.5$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
match ip ASSR-TRSR 192.168.100.0 255.255.255.0 inside any
static translation to 192.168.100.0
translate_hits = 1, untranslate_hits = 1
Additional Information:
NAT divert to egress interface ASSR-TRSR
Untranslate 192.168.100.0/0 to 192.168.100.0/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3ca63f8, priority=2, domain=permit, deny=false
        hits=541, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3ca8700, priority=0, domain=permit-ip-option, deny=true
        hits=8040721, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,ASSR-TRSR) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 ASSR-TRSR any
    static translation to 192.168.1.0
    translate_hits = 1, untranslate_hits = 1
Additional Information:
Static translate 192.168.1.0/0 to 192.168.1.0/0 using netmask 255.255.255.0
Forward Flow based lookup yields rule:
in id=0x4490050, priority=5, domain=nat, deny=false
        hits=0, user_data=0x44e24f8, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.1.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,ASSR-TRSR) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 ASSR-TRSR any
    static translation to 192.168.1.0
    translate_hits = 1, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x455df08, priority=5, domain=host, deny=false
        hits=115, user_data=0x44e24f8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.1.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
match ip ASSR-TRSR 192.168.100.0 255.255.255.0 inside any
    static translation to 192.168.100.0
    translate_hits = 1, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4777290, priority=5, domain=nat-reverse, deny=false
        hits=0, user_data=0x3c79b88, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.100.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
match ip ASSR-TRSR 192.168.100.0 255.255.255.0 inside any
    static translation to 192.168.100.0
    translate_hits = 1, untranslate_hits = 1
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x454cae8, priority=5, domain=host, deny=false
        hits=8, user_data=0x3c79b88, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.100.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3cd76f8, priority=0, domain=permit-ip-option, deny=true
        hits=3266191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12676367, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ASSR-TRSR
output-status: up
output-line-status

Ajay Saini · ‎05-05-2017

Glad to help. Please rate and mark answer as correct if it helped.

-AJ

fisherman0302 · ‎05-04-2017

works from inside to ASSR but not the other way around.

Result of the command: "packet-tracer input ASSR-TRSR tcp 192.168.100.5 3344 192.168.1.5 80 det"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.254.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ASSR-TRSR_access_in in interface ASSR-TRSR
access-list ASSR-TRSR_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3c77c08, priority=12, domain=permit, deny=false
hits=238742, user_data=0x3c84908, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3cd76f8, priority=0, domain=permit-ip-option, deny=true
hits=3249053, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255
match ip ASSR-TRSR host 192.168.100.5 inside any
static translation to 192.168.100.5
translate_hits = 4, untranslate_hits = 6
Additional Information:
Static translate 192.168.100.5/0 to 192.168.100.5/0 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0x473dde8, priority=5, domain=nat, deny=false
hits=3, user_data=0x3c88f68, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.100.5, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255
match ip ASSR-TRSR host 192.168.100.5 inside any
static translation to 192.168.100.5
translate_hits = 4, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3d2bc08, priority=5, domain=host, deny=false
hits=15, user_data=0x3c88f68, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.100.5, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any ASSR-TRSR any
dynamic translation to pool 1 (192.168.100.2 [Interface PAT])
translate_hits = 313, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3d17d78, priority=1, domain=nat-reverse, deny=false
hits=392, user_data=0x44e4868, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: ASSR-TRSR
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Ajay Saini · ‎05-05-2017

Thats expected since that is a different requirement. If you need communication from both sides, we would need self NAT:

try below:

no static (ASSR-TRSR,inside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255

static (inside,ASSR-TRSR) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (ASSR-TRSR,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

-AJ

Dynamic NAT/PAT problems