NAT problems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2019 01:26 AM
Hello experts,
I have two ASA 5545X active-standby and I have an objtect-group natted to the outside interface, inside of the object-group I have one host, for sometime the host able to browse to the internet but now not working. The trace from the remote PC is finish on the FW. I have the acces-list allowing that object-group to any IP.
Anyone please help to figure out what can be happen and why this host can't browse to internet?
Many thanks,
- Labels:
-
Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2019 03:03 AM
Could you share the asa configuration?
*** Rate All Helpful Responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2019 04:27 AM
Hello Jaderson,
Find the configuration details on the attached picture:
I made a trace route from the host pc and the last hope is the FW interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2019 05:08 AM
try it:
object-group network OBJ-G
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object 192.168.0.0 255.255.255.0
nat (inside,outside) source dynamic OBJ-G interface
*** Rate All Helpful Responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2019 05:35 AM
First I have this NAT:
nat (Customs,Outside) source static RemoteGroup_Internet-Access interface
Then I remove and I create this NAT:
nat (Customs,Outside) source dynamic RemoteGroup_Internet-Access interface
The Customs interface is the interface where the host and remote group are configured, and still not working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2019 10:11 AM
I would suggest running a Packet Tracer from the Firewall to see if it is actually blocking the traffic and why.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2019 03:58 AM
try it:
1. Check packet tracert in the firewall.
2. Check if end device can resolve name (ping 8.8.8.8) or (ping www.google.com) for exemple;
3. Check if this "RemoteGroup_Internet-Access" has your end device.
Regards
*** Rate All Helpful Responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2019 05:04 AM
Find attached the output for all tests. The result of packet tracer is allowed and no block.
The end host is inserted into the object-group
The object have NAT and ACL permited
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2019 05:50 AM
Could you share a simple draw of your topology? This firewall working as your routing to others networks or is there a L3?
Is there any other NAT configuration to this address?
*** Rate All Helpful Responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2019 07:22 AM
Hello Jaderson,
Thank you for your attention on my case, find the draft of mine topology for your reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2019 07:34 AM
Please also see if the below info is normal behavior when we create a NAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2019 08:39 AM
*** Rate All Helpful Responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2019 09:54 AM
Maputo_Mcnet_APN is the host pc that want to browse and the acl 208 is the Nat I have created from the host pc to outside interface. I removed the old Nat from the object-group and I create this one to specific host but the host pc still not browsing.
