Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
3
Replies

Identity NAT on ASA running Version 9.0(1)

Bouki
Level 1
Level 1

‎04-09-2018 03:56 PM - edited ‎02-21-2020 07:36 AM

Hi guys,

 

I cannot have access without Identity NAT configured.

 

Object: LAN

 

object network LAN
 subnet 10.100.52.0 255.255.255.0

 

NAT:

object network LAN
 nat (inside,outside) static 10.100.52.0 no-proxy-arp route-lookup

 

I want to emphasise that there is not PAT configured and this is the only NAT statement configured on the box , without it I cannot access the Internet.

 

Why do I need the Identity NAT if there is no other statement shadowing it?

 

Many thanks

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎04-10-2018 10:10 AM

That shouldn't be the case. Can you run a packet-tracer without the nat rule in place and share the ouput? Something like:

packet-tracer input inside tcp <client-ip> 12345 4.2.2.2 80 detailed

0 Helpful

Bouki
Level 1
Level 1

‎04-12-2018 03:16 AM

Hi,

 

I apprecitae the quick reply.

 

 

Hi,

 

Thanks for the update.

 

Here is the output:

 

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log disable
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN
 nat (inside,outside) static 10.100.52.0 no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.52.23/25685 to 10.100.52.23/25685

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  inspect ftp
service-policy global_policy global
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:      
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 960453070, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

 

Many thanks.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Bouki

‎04-12-2018 08:38 AM

Run one without the NAT in place.

 

Also, you mentioned that internet does not work without the identity NAT in place, correct? Is there another NAT device sitting ahead of this Firewall?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card