Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
2
Replies

NAT error in ASA 5525 9.1

sathish.ippani
Level 1
Level 1

‎07-23-2014 09:05 PM - edited ‎03-11-2019 09:31 PM

internet users unable to access port 22, we have already enabled port 22 . plz check and help
 
nat (outside,dmz) source static any any destination static obj_198.73.32.44 obj_10.3.202.44 unidirectional
 
access-list Out_in extended permit tcp any4 object obj_10.3.202.44 eq ssh
 
DAA30085-ASA1# packet-tracer input outside tcp 103.4.10.195 22 198.73.32.44 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
DAA30085-ASA1#
Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-23-2014 11:27 PM

Hi,

 

The NAT configurations seems odd to me. Are you just trying to configure a Static NAT for a server and allow SSH connections to that server?

 

If so then the above configuration seems unideal for the situation. You dont really need to configure a Manual NAT / Twice NAT to achieve that. You can easily do it with a simple Auto NAT / Network Object NAT configurations

 

Here is an example

 

object network SERVER
 host <internal server ip>
 nat (dmz,outside) static <public server ip>

 

And you use the above "object" in the ACL as the destination when you allow traffic.

 

Notice that both the "host" statement and the "nat" statement are configured under the "object".

 

Also the error message that you are getting is strange. Almost seems to suggest that this public IP address is in use in some PAT configuration? Do you use it as a Dynamic PAT IP address for the users?

 

If you instead want to configure a Static PAT (Port Forward) you can modify the above NAT configuration a bit to achieve that too. The question is though are you using a separate public IP address (if you have multiple) or are you using the one configured on your ASAs external interface?

 

Separate public IP address with Static PAT

 

object network SERVER-SSH
 host <internal server ip>
 nat (dmz,outside) static <public server ip> service tcp 22 22

 

ASA interface public IP address with Static PAT

object network SERVER-SSH
 host <internal server ip>
 nat (dmz,outside) static interface service tcp 22 22

 

With the interface option I would urge you to check your current setup before configuring it. If you manage the ASA with SSH from the Internet then you naturally cant use the ASA interface IP address and the port TCP/22. You could avoid that with using port like TCP/222 as the mapped port

 

object network SERVER-SSH
 host <internal server ip>
 nat (dmz,outside) static interface service tcp 22 222

 

Hope this helps :)

 

- Jouni

 

 

0 Helpful

nkarthikeyan
Level 7
Level 7

‎07-24-2014 12:16 AM

Hi,

 

You can modify your NAT like this and test, it should work.

object network ssh_server
host 10.3.202.44
nat (dmz,outside) static 198.73.32.44

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card