Jouni,

Would Line A be the same thing as line B?

Line A:

nat (dmz,outside) source static any 2.2.2.2 inactive

Line B:

nat (dmz,outside) static 2.2.2.2 inactive

What's the point of the source and any keywords?  I just ask because I'm trying to understand why the ASDM is adding them.

Thanks!!!

Hi,

The Line A is a Twice NAT / Manual NAT format and this would not do a Static NAT between the internal and external IP address

The Line B is an Network Object NAT configuration line that is located under an "object network

The "source" defines that after it you will define the NAT for the source addressess. The parameter "any" will just simply state that any source address will apply to this configuration.

You also seem to have the "inactive" parameter at the end of the commands which means they are not in use.

The Line A doesnt make sense configurationwise.

The Line B is the NAT configuration line under some object so I cant see whats its source address is. (unless its the one I mentioned in my first reply)

EDIT: Typos

- Jouni

Wow, tons of useful info with you guys!!!  Thanks!

The inactive is on purpose because I'm trying to learn where to config certain things in the ASDM, I didn't want anything to go live yet. 

Yes Line B was your network object line.  The way you described it makes perfect sense!

Although now in my config the following was added...

object network WBS1_DMZ
 host 10.10.20.2
 description webserver
object network WBS1_EXTERNAL
 host 2.2.2.2

~~~~~ OTHER CONFIG ~~~~~

!
object network WBS1_DMZ
 nat (dmz,outside) static WBS1_EXTERNAL

I'm guessing that the ! is saying that it's continued from another object network that was already created?

edited: changed nat rule from (any,any) to (dmz,outside)

Hi,

The "!" mark is just included in some parts of the CLI format configuration. It doesnt serve any real critical purpose. I guess it just separates certain part of the configuration from eachother

It seems that the configuration you posted above is configuring the other Static NAT I mention in my first reply.

The only difference is that instead of entering the public IP address 2.2.2.2 directly after the "static" parameter, you have instead configured the IP 2.2.2.2 inside its own "object network" WHICH you then use in the NAT configuration.

There is nothing preventing from doing it like this although I would have to say that from a purely CLI users perspective it creates a more complicated NAT configuration as we cant see the public IP address used directly in the NAT command and therefore have to see whats under the "object network WBS1_EXTERNAL" to determine that IP address.

- Jouni

In your example above, should the following...

object network SERVER-1

host 10.10.20.2

nat (DMZ,outside) static 2.2.2.2 dns

be changed to the following...

object network SERVER-1

host 10.10.20.2

nat (outside,DMZ) static 2.2.2.2 dns

because when I have it changed to the latter I get no error, when I use your way I get the following error pop up...

"regular translation creation failed for icmp src dmz:10.10.20.2 dst outside:123.123.123.123 (type 0, code 0)"

Hi,

This configuration

object network SERVER-1

host 10.10.20.2

nat (outside,DMZ) static 2.2.2.2 dns

Would tell the ASA that:

• The host with IP address 10.10.20.2 is located behind ASA interface "outside"
• The host with IP address 10.10.20.2 should be translated to the IP address 2.2.2.2 on the "dmz"

From what I gather from your original information is that the host with the IP address 10.10.20.2 is behind interface "dmz" and should be translated to the public IP address 2.2.2.2 on the "outside". So it could be connected to from behind the "outside" interface with the IP address 2.2.2.2.

So to my understanding the configuration should be

object network SERVER-1

host 10.10.20.2

nat (DMZ,outside) static 2.2.2.2 dns

Ofcourse I might have missunderstood something in your original post.

- Jouni

That is correct, but why would it be giving me that error then?

Hi,

To be honest it would probably be easiest to see the configuration in CLI format to see if there is any obvious problem there.

Would also have to know the IP address you are PINGing.

- Jouni

It ended up being an extra NAT rule not needed.  For anyone else having this issue it might help to use the packet tracer in the TOOLS menu at the top of the ASDM.

I started out by trying to send an icmp (echo-reply) from the "outside int" with source ip being an outside ip ex: 127.127.127.1 then set up the destination ip as my outside ip ex: 2.2.2.2...  When I hit start I got back "The packet is allowed".  So that was good.

Then I tried the traffic back to the outside...  Source (some ip inside my dmz) ex: 10.10.20.2 and Destination (random public ip) ex: 127.111.111.1...  When I hit start I got back "The packet is dropped".  Then it told me about this little nat rule I forgot I put in there a while back.  So I removed the old NAT rule and BAM!  It started working great.

Hope it helps someone, if it does be sure to rate this reply as helpful. 

jcarvaja,

Thanks!  I never really thought of it that way...  Sometimes I wish the levels didn't exist...  I like to feel like I know each and every packet is accounted for with a rule. 

Hi,

If you dont want to use the "security-level" value with the ASAs then you can  simply configure an ACL to the ASA interface. As soon as you configure an ACL to the ASA interface then that will be the factor that controls the traffic for that interface.

The "security-level" wont affect the traffic flow anymore but the ACL will

- Jouni

Yea I noticed that with the ASDM, as it removes the security level line that is there by default.    Thanks