04-09-2018 03:56 PM - edited 02-21-2020 07:36 AM
Hi guys,
I cannot have access without Identity NAT configured.
Object: LAN
object network LAN
subnet 10.100.52.0 255.255.255.0
NAT:
object network LAN
nat (inside,outside) static 10.100.52.0 no-proxy-arp route-lookup
I want to emphasise that there is not PAT configured and this is the only NAT statement configured on the box , without it I cannot access the Internet.
Why do I need the Identity NAT if there is no other statement shadowing it?
Many thanks
04-10-2018 10:10 AM
That shouldn't be the case. Can you run a packet-tracer without the nat rule in place and share the ouput? Something like:
packet-tracer input inside tcp <client-ip> 12345 4.2.2.2 80 detailed
04-12-2018 03:16 AM
Hi,
I apprecitae the quick reply.
Hi,
Thanks for the update.
Here is the output:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log disable
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN
nat (inside,outside) static 10.100.52.0 no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.52.23/25685 to 10.100.52.23/25685
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
inspect ftp
service-policy global_policy global
Additional Information:
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 960453070, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Many thanks.
04-12-2018 08:38 AM
Run one without the NAT in place.
Also, you mentioned that internet does not work without the identity NAT in place, correct? Is there another NAT device sitting ahead of this Firewall?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide