Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5470
Views
0
Helpful
2
Replies

icmp: echo reply Drop-reason: (nat-xlate-failed) NAT failed

CamarR
Level 1
Level 1

‎11-28-2020 10:32 AM - edited ‎11-28-2020 10:35 AM

Hi,

For labing and study purposes, i am currently working on a physical infra that i've set up. And i'm facing somes obstacles: i use an asa5506 (9.8) with an inside/ouside zone.

i'm trying to ping my inside from the outside but with no success (it's a PAT from inside to ouside, a default route, icmp inspection and a rule to allow ping from a specific host from outside to inside).

Wireshark shows the icmp echo received at the lan host, reply send back, pass trough IPS/IDS (there is a translation at this node)

But the reply is dopped at the ASA node (Capture asp-drop shows 172.16.34.1 > 172.16.93.33: icmp: echo reply Drop-reason: (nat-xlate-failed) NAT failed). There is any single log linked with that issue on syslog server.

 

Is the multiple PAT (cascade) causing problems? Do i have to create an service object in the asa for outgoing icmp echo-reply , maybe ?

 

Please, need some guidance.

Thank you.

here attached maquette+asa config

Preview file
44 KB
Preview file
7 KB
0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎11-28-2020 04:28 PM - edited ‎11-28-2020 04:30 PM

PAT would not be used to translate the traffic coming from the outside to the inside. You need a static NAT rule on both the ASA and the router, example:


object network Host-192.168.34.19
 host 192.168.34.19
 nat (inside,outside) static interface


and on the router:

ip nat inside source static 192.168.33.19 192.168.34.19

0 Helpful

CamarR
Level 1
Level 1
In response to Aref Alsouqi

‎11-30-2020 03:02 AM

Here's the topo :

 

1- Ping from oustide host is initiated (172.16.93.33 try to ping from outside a host in the inside 172.16.31.19)

 

2- Icmp come at ASA (icmp source 172.16.93.33 destination 172.16.31.19

 

3- ASA route the icmp packet to the inside lan

        * For that i add a static route for inside lan (route 172.16.31.0 to 172.16.34.1[ips/ids routeur])

        * 2 reasons for that: first, for the dhcp discovery 'cause the dhcp server is in the outside and secondly for when i need to test

           ping, yes i know it's not recommended

 

4- icmp packet arrives at the ips/ids router who is directly connected to network 172.16.31.0/24

     (icmp packet source 172.16.93.33 dest 172.16.31.19)

 

5- The host send back reply (source 172.16.31.19 dest 172.16.93.33)

 

6- icmp-reply packet arrives at ips/ids and his is translated to the outside (in our case toward the ASA)

        * 172.16.31.19 is translated to 172.16.34.1:xxxxx

        * our packet is now: source 172.16.34.1:xxxxx dest 172.16.93.33

 

7- icmp-reply arrives at the ASA with a source address of 172.16.34.1:xxxxx and dest 172.16.93.33

        * and the failure begin here

        * log in the ASA : 172.16.34.1 > 172.16.93.33: icmp: echo reply Drop-reason: (nat-xlate-failed) NAT failed

        * question : why NAT fails ?

 

i have PAT on the router (IPS/IOS) and the ASA, both from inside to outside. Do i have to remove those PAT on both units and replace them by a static routing (add route by route, according the needs of the networks) ?

Or i keep PAT, and i add SNAT like you mention in your response ? In that case, and alongside the PAT inside > outside in the ASA, i just have to add snat entry for my host located on the inside lan, right? But, the host lan traffic should be normally translated with PAT, no ? Why add an SNAT for him, a second time ?

 

I'm confused a lil bit. Plz help. thank you.

feel free to ask if you need more info

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card