cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

416
Views
0
Helpful
1
Replies
suprisha
Beginner

Dynamic Pat asa 9.1(2)

I am trying ti simply configure Dynamic pat but getting the  (nat-xlate-failed) NAT failed. Tried all possible permutations and combinations but does not seem to be working.

 


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic obj-192.168.10.0 interface
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff32d8c900, priority=6, domain=nat, deny=false
        hits=5, user_data=0x7fff33b955c0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff32fc1a20, priority=0, domain=nat-per-session, deny=true
        hits=1868, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff33ad5f70, priority=0, domain=inspect-ip-options, deny=true
        hits=2137, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

Here is the config that i am using:-

 

hostname ciscoasa
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address {Wan-ip}
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!

object network OBJ_GENERIC_ALL
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.10.0
 subnet 192.168.10.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic obj-192.168.10.0 interface
access-group Inside-outside in interface outside
route outside 0.0.0.0 0.0.0.0 {wan-gateway} 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

!

 

Everything seems correct to me. Could someone help me with this

1 REPLY 1
shijomon scaria
Beginner

Hi,

 

Try the following syntax.

 

ASA(config)# object network <Obj-Grop-Name>
ASA(config-network-object)# subnet 192.168.10.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface

 

Regards,

Shijomon.

Content for Community-Ad