Solved: Dynamic Nat with Static 1-1 NAT ping issue

J_Vansen_S · ‎08-31-2015

Hi all

we have a ASA ver9.4

Outside - 113.x.x.4 /29 (public IP)

Inside - 192.168.1.0/24

Web server - 192.168.1.88

on the asa i have configured

1. 192.168.1.0 /24 to Dynamically NAT(hide) to outside interface for internet access

2. static 1-1 nat of 192.168.1.88 to 113.x.x.10 at outiside interface

So far my LAN 192.168.1.0 /24 users can successfully access the internet

and from the static nat of the web server 192.168.1.88 -> 113.x.x.10 is working fine

however my problem is that i an unable to ping to the server ip 113.x.x.10 from outside.

i have allowed any any icmp on all interfaces

is this the correct way to configure both dynamic and static nat at the same time? One to interface IP another to actual IP?

I have tried removing the dynamic NaT rule, and the server ping is successful. But that is not my objective. I need both running simultanously

appreciate any advise

Marius Gunnerud · ‎08-31-2015

Where / how have you configured your NAT rules, more specifically the dynamic NAT?

Your static NAT should be either in the manual NAT section (section 1) or in auto-NAT section (section 2). Your Dynamic NAT could be in either auto-NAT or after-auto NAT (section 3).

I would suggest placing all your dynamic NAT statements in the after-auto section and then having static NATs either in manual NAT or auto NAT depending on your requirements and preferences.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Vibhor Amrodia · ‎08-31-2015

Hi,

This will not work.

You need to move the dynamic NAT also to the Object Nat section.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎08-31-2015

Hi,

I think if removing the Dynamic NAT , ping is successful , it might be an issue with the NAT sequencing.

Would you be able to share the related NAT and ACL configuration ?

Thanks and Regards,

Vibhor Amrodia

J_Vansen_S · ‎08-31-2015

this there,

below is my NAT config

nat (INSIDE,Outside) source dynamic LAN-192.168 interface
!
object network WEB-192
nat (INSIDE,Outside) static DNS-ext

LAN-192.168 = 192.168.0.0/16
WEB-192 = 192.168.8.88
WEB-ext = 113.123.12.10 /29 PUBLIC IP
Outside internet = 113.123.12.4 /29 PUBLIC IP

Appreciate any advise

Vibhor Amrodia · ‎08-31-2015

Hi,

This will not work.

You need to move the dynamic NAT also to the Object Nat section.

Thanks and Regards,

Vibhor Amrodia

J_Vansen_S · ‎09-01-2015

Thanks Vibhor

As per your instruction. This as below works; ie to move the dynamic NAT to object nat section

object network LAN-192.168
nat (INSIDE,Outside) dynamic interface
object network test-hostNATstatic
nat (INSIDE,Outside) static DNS-ext

Also most importantly on top of that, i need to turn on ICMP inspection on service policy

Thanks Guys!

Marius Gunnerud · ‎08-31-2015

Where / how have you configured your NAT rules, more specifically the dynamic NAT?

Your static NAT should be either in the manual NAT section (section 1) or in auto-NAT section (section 2). Your Dynamic NAT could be in either auto-NAT or after-auto NAT (section 3).

I would suggest placing all your dynamic NAT statements in the after-auto section and then having static NATs either in manual NAT or auto NAT depending on your requirements and preferences.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Peter Koltl · ‎09-02-2015

ASDM or show xlate command helps you understand the structure and order.