02-04-2018 12:54 PM - edited 02-21-2020 07:17 AM
So whether i try to issue a NAT command in the CLI, or even using the startup wizard to setup PAT, i get an error every time. Then i try to just create new NAT entries and have the same problem. If i leave source and destination as any, the command works, unfortunately (of course), that does not allow any traffic to pass through. this is preplexing to me as I have a ton of these in production and i have always set them up the same. I thought it was the BVI1, but I took that out and tried just using the inside_1 interface, still no joy.
It does seem to have something to do with the bridge though as that seems to be the only difference from other ASAs I have. But why out of the box would Cisco send me something that can't be programmed, even using the startup wizard? Let alone getting into the more intricate commands?
I will say I can make the firewall work for normal traffic, but cannot create NAT entries to setup public servers, so I am stuck. Any help appreciated.
Solved! Go to Solution.
02-04-2018 08:10 PM
02-05-2018 01:16 AM
All your NAT statements (and also commands like ssh and http) have to reference the individual interfaces and not the name on the BVI. I have no idea why it's implemented that way, but we have to deal with it.
02-04-2018 08:10 PM
02-05-2018 07:43 AM
Hello,
Yes, here is the output:
Result of the command: "show nameif"
Interface Name Security
GigabitEthernet1/1 outside 0
GigabitEthernet1/2 inside_1 100
GigabitEthernet1/3 inside_2 100
GigabitEthernet1/4 inside_3 100
GigabitEthernet1/5 inside_4 100
GigabitEthernet1/6 inside_5 100
GigabitEthernet1/7 inside_6 100
GigabitEthernet1/8 inside_7 100
BVI1 inside 100
02-05-2018 07:46 AM
This confirms that you're using BVI and nat isn't supported on BVI
02-05-2018 07:50 AM
OK, I had removed interface GigabitEthernet1/2 from the bridge, but did not delete the bridge entirely. is that the issue then?
Thanks!
02-05-2018 08:31 AM
02-05-2018 09:01 AM
I don't think he is in transparent mode. It's very likely just routed with BVIs.
02-05-2018 09:06 AM
02-05-2018 11:27 AM
I was assuming i was using it in transparent mode by using the bridge group.
I have completely deleted the group now and changed the nameif to inside on gigabitethernet1/2
However i don't see why it would not work using the bridge group since that is essentially the same as the older ASAs using Vlan1 and bridging all the ports.
maybe i put the bridge back, but remove all of the nameif commands on the physical interfaces. As long as i can assign different static ip addresses and setup NAT entries, i don't really care, but it makes no sense to kill the other 6 ports for no reason
02-05-2018 11:41 AM
Using bridge-groups doesn‘t mean you are running transparent firewall mode. And no, the VLAN-Concept is completely different to bridge-groups. That‘s the reason that the configuration is different.
02-05-2018 12:43 PM
02-05-2018 01:16 AM
All your NAT statements (and also commands like ssh and http) have to reference the individual interfaces and not the name on the BVI. I have no idea why it's implemented that way, but we have to deal with it.
02-05-2018 05:04 AM
02-07-2018 01:32 PM
I ended up getting rid of the BVI and naming the 1/2 interface "inside". It is the only inside interface i am using.
I then removed the nameif commands on all of the other inside interfaces.
This was the easiest solution for me since it allowed nat commands to be issued in the manner i am more used to.
Thanks Franceso and Karsten for helping to point me in the right direction
02-07-2018 04:09 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide