Solved: nat-xlate-failed - Page 2

marcio.tormente · ‎03-08-2016

Hello Friends,

I change my ASA from 5505 to 5506, and now when I try to access a specific public IP I receive the msg nat-xlate-failed, but this problem occur only with one public IP.

Attach is the error from packet trace

Thanks

Dinesh Moudgil · ‎03-08-2016

Thank you for the confirmation, Marcio

This indeed proves that ASA configuration is correct for nat and routing of internal network.

Can you confirm what exactly is this IP for ?

Note: I tried pinging from my system but ping fails for 100.69.192.179.

It might be the fact that they may have restricted ICMP packets for certain IPs.

The best thing that we can do is run "debug icmp trace" while pinging from ASA and this will show if the echo request is going out and coming in.

Along with this , we could use the same capture (capture asp type asp-drop all)
to check if our ICMP request was dropped or not.

Do not forget to clear captures using "clear cap asp" before testing.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

The ping that your are testing is correct.

Attach is the router configuration (destination), only to see that there is no special configuration there.

Dinesh Moudgil · ‎03-08-2016

There does not seem to be any attachment Marcio

Can you please confirm if this is your own public IP ? Please share a rough topology diagram regarding how ASA is connected to internet and where is this IP present, if it is part of your network on publicly available.

Regards, Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

My public IP is 186.231.97.189, this IP is configured on the ASA, the remote IP that I have to access 100.69.192.179.

My topology is very simple, my machine have a GW that is my router and my router have default route to the ASA that is connect to the internet.

Follow the configuration of remote router (customer).

Dinesh Moudgil · ‎03-08-2016

I dont think there will be any issue on router side as we are not able to access that IP from ASA itself.

You might want to first check why it is not working from ASA with steps I mentioned presiously. Once it works, then we can look further

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

You sent to me many steps, which one do you want that I try?

Thank you very much for all support

Dinesh Moudgil · ‎03-08-2016

To check whether the issue is with ASA or not
--------------------------------------------
Run "debug icmp trace" while pinging from ASA and this will show if the echo request is going out and coming in.

Along with this , we could use the same capture (capture asp type asp-drop all)
to check if our ICMP request was dropped or not.

Do not forget to clear captures using "clear cap asp" before testing.
--------------------------------------------

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

Follow the result, I saw only the NAT int the debug.

likasa# debug icmp trace
debug icmp trace enabled at level 1
likasa# ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2288 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2288 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2289 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2289 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2290 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2290 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2291 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2291 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2292 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2292 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2293 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2293 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2294 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2294 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2295 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2295 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2296 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2296 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2297 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2297 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2298 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2298 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2299 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2299 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2300 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2300 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2301 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2301 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2302 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2302 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2303 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2303 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2304 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2304 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2305 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2305 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2306 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2306 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2307 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2307 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2308 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2309 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2309 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2310 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2310 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2311 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2312 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2312 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2313 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2313 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2314 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2314 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2315 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2315 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2316 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2317 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2317 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2318 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2318 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2319 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2319 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2320 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2320 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2321 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2321 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2322 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2323 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2323 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2324 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2324 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2325 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2325 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2326 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2327 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2327 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2328 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2328 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2329 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2329 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2330 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2330 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2331 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2331 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67

likasa#
likasa#
likasa# ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2332 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189

likasa# ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2332 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67

likasa#
likasa# ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2333 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2333 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67

likasa#
likasa# ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2334 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2334 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
unICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2335 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2335 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
deICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2336 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2336 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
bug ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2337 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2337 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
all
likasa#
likasa#
likasa#
likasa# capture asp type asp-drop all
likasa#
likasa#
likasa# capture capi interface inside match ip host 192.168.13.61 host 100.69.$
likasa#
likasa#
likasa# debug icmp trace
debug icmp trace enabled at level 1
likasa# ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2386 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2386 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2387 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2387 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2388 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2388 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2389 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2389 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=194 len=32
ICMP echo request translating inside:192.168.13.61/1 to outside1:186.231.97.189/37537
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2390 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2390 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2391 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=195 len=32
ICMP echo request translating inside:192.168.13.61/1 to outside1:186.231.97.189/37537
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2392 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2392 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2393 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=196 len=32
ICMP echo request translating inside:192.168.13.61/1 to outside1:186.231.97.189/37537
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2394 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2394 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2395 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2395 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
uICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2396 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2396 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
ndICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=197 len=32
ICMP echo request translating inside:192.168.13.61/1 to outside1:186.231.97.189/37537
ebuICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2397 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2397 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
g alICMP echo request from inside:192.168.13.67 to outside1:216.58.222.3 ID=1 seq=2398 len=32
ICMP echo request translating inside:192.168.13.67 to outside1:186.231.97.189
ICMP echo reply from outside1:216.58.222.3 to inside:192.168.13.67 ID=1 seq=2398 len=32
ICMP echo reply untranslating outside1:186.231.97.189 to inside:192.168.13.67
l
likasa# show cap asp | in 192.168.13.61
3: 18:14:02.897445 192.168.13.61.62526 > 157.56.144.215.3544: udp 61 Drop-reason: (acl-drop) Flow is denied by configured rule
158: 18:14:27.287445 192.168.13.61.137 > 192.168.13.255.137: udp 50
163: 18:14:28.036817 192.168.13.61.137 > 192.168.13.255.137: udp 50
166: 18:14:28.787297 192.168.13.61.137 > 192.168.13.255.137: udp 50
168: 18:14:29.515598 192.168.13.61.59806 > 216.58.202.99.443: udp 1350
169: 18:14:29.544329 192.168.13.61.59806 > 216.58.202.99.443: udp 1350
170: 18:14:29.610716 192.168.13.61.59806 > 216.58.202.99.443: udp 1350
172: 18:14:29.745261 192.168.13.61.59806 > 216.58.202.99.443: udp 1350
176: 18:14:30.053616 192.168.13.61.59806 > 216.58.202.99.443: udp 1350
177: 18:14:30.540697 192.168.13.61.59806 > 216.58.202.99.443: udp 1350
183: 18:14:31.596053 192.168.13.61.59806 > 216.58.202.99.443: udp 1350
193: 18:14:33.517353 192.168.13.61.59806 > 216.58.202.99.443: udp 43
199: 18:14:34.924116 192.168.13.61.56107 > 65.5.139.108.29208: S 1818944661:1818944661(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
202: 18:14:35.044355 192.168.13.61.56108 > 65.5.139.108.29208: S 572457973:572457973(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
203: 18:14:35.052151 192.168.13.61.137 > 192.168.13.255.137: udp 50
205: 18:14:35.053662 192.168.13.61.50886 > 224.0.0.252.5355: udp 22
207: 18:14:35.066585 192.168.13.61.64995 > 224.0.0.252.5355: udp 22
212: 18:14:35.118035 192.168.13.61.56344 > 224.0.0.252.5355: udp 30
215: 18:14:35.414666 192.168.13.61.64995 > 224.0.0.252.5355: udp 22
217: 18:14:35.415322 192.168.13.61.50886 > 224.0.0.252.5355: udp 22
219: 18:14:35.552782 192.168.13.61.56344 > 224.0.0.252.5355: udp 30
220: 18:14:35.557618 192.168.13.61.56107 > 65.5.139.108.29208: S 1818944661:1818944661(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
221: 18:14:35.641690 192.168.13.61.56108 > 65.5.139.108.29208: S 572457973:572457973(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
222: 18:14:35.754706 192.168.13.61.137 > 192.168.13.255.137: udp 50
226: 18:14:36.148933 192.168.13.61.56108 > 65.5.139.108.29208: S 572457973:572457973(0) win 8192 <mss 1460,nop,nop,sackOK>
228: 18:14:36.509662 192.168.13.61.137 > 192.168.13.255.137: udp 50
254: 18:14:37.939694 192.168.13.61.62465 > 224.0.0.252.5355: udp 22
256: 18:14:37.940197 192.168.13.61.55407 > 224.0.0.252.5355: udp 22
257: 18:14:37.940838 192.168.13.61.137 > 192.168.13.255.137: udp 50
265: 18:14:38.342877 192.168.13.61.55407 > 224.0.0.252.5355: udp 22
266: 18:14:38.348935 192.168.13.61.62465 > 224.0.0.252.5355: udp 22
268: 18:14:38.676875 192.168.13.61.137 > 192.168.13.255.137: udp 50
272: 18:14:39.429253 192.168.13.61.137 > 192.168.13.255.137: udp 50
332: 18:14:55.204396 192.168.13.61.137 > 192.168.13.255.137: udp 50
334: 18:14:55.209171 192.168.13.61.49160 > 224.0.0.252.5355: udp 22
336: 18:14:55.211689 192.168.13.61.57641 > 224.0.0.252.5355: udp 22
339: 18:14:55.646618 192.168.13.61.49160 > 224.0.0.252.5355: udp 22
340: 18:14:55.649533 192.168.13.61.57641 > 224.0.0.252.5355: udp 22
341: 18:14:55.969401 192.168.13.61.137 > 192.168.13.255.137: udp 50
346: 18:14:56.721154 192.168.13.61.137 > 192.168.13.255.137: udp 50
948: 18:15:57.500904 192.168.13.61.137 > 192.168.13.255.137: udp 50
950: 18:15:57.512470 192.168.13.61.50830 > 224.0.0.252.5355: udp 22
952: 18:15:57.528796 192.168.13.61.58739 > 224.0.0.252.5355: udp 22
956: 18:15:57.936276 192.168.13.61.58739 > 224.0.0.252.5355: udp 22
957: 18:15:57.936490 192.168.13.61.50830 > 224.0.0.252.5355: udp 22
958: 18:15:58.245150 192.168.13.61.137 > 192.168.13.255.137: udp 50
964: 18:15:59.007232 192.168.13.61.137 > 192.168.13.255.137: udp 50
1220: 18:16:58.114160 192.168.13.61.54878 > 157.56.144.215.3544: udp 61
1224: 18:16:58.318541 192.168.13.61.51228 > 224.0.0.252.5355: udp 30
1230: 18:16:58.732506 192.168.13.61.51228 > 224.0.0.252.5355: udp 30
1234: 18:16:58.841234 192.168.13.61.137 > 192.168.13.255.137: udp 50
1236: 18:16:58.842256 192.168.13.61.60747 > 224.0.0.252.5355: udp 22
1238: 18:16:58.846300 192.168.13.61.50297 > 224.0.0.252.5355: udp 22
1241: 18:16:58.973292 192.168.13.61.137 > 192.168.13.255.137: udp 50
1244: 18:16:58.974955 192.168.13.61.61292 > 224.0.0.252.5355: udp 22
1245: 18:16:59.111780 192.168.13.61.54878 > 157.56.144.215.3544: udp 61
1249: 18:16:59.146629 192.168.13.61.59263 > 224.0.0.252.5355: udp 30
1257: 18:16:59.259233 192.168.13.61.50297 > 224.0.0.252.5355: udp 22
1259: 18:16:59.260057 192.168.13.61.60747 > 224.0.0.252.5355: udp 22
1262: 18:16:59.401407 192.168.13.61.61292 > 224.0.0.252.5355: udp 22
1264: 18:16:59.573243 192.168.13.61.59263 > 224.0.0.252.5355: udp 30
1265: 18:16:59.593032 192.168.13.61.137 > 192.168.13.255.137: udp 50
1267: 18:16:59.725273 192.168.13.61.137 > 192.168.13.255.137: udp 50
1269: 18:17:00.358105 192.168.13.61.137 > 192.168.13.255.137: udp 50
1270: 18:17:00.489461 192.168.13.61.137 > 192.168.13.255.137: udp 50
1274: 18:17:01.113046 192.168.13.61.54878 > 157.56.144.215.3544: udp 61
1275: 18:17:01.944866 192.168.13.61.137 > 192.168.13.255.137: udp 50
1277: 18:17:01.945950 192.168.13.61.55023 > 224.0.0.252.5355: udp 22
1282: 18:17:02.357601 192.168.13.61.55023 > 224.0.0.252.5355: udp 22
1283: 18:17:02.695459 192.168.13.61.137 > 192.168.13.255.137: udp 50
1291: 18:17:03.445960 192.168.13.61.137 > 192.168.13.255.137: udp 50
1296: 18:17:05.113595 192.168.13.61.54878 > 157.56.144.215.3544: udp 61
1331: 18:17:13.120431 192.168.13.61.54878 > 157.56.144.215.3544: udp 61
1347: 18:17:19.216251 192.168.13.61.137 > 192.168.13.255.137: udp 50
1349: 18:17:19.222156 192.168.13.61.59914 > 224.0.0.252.5355: udp 22
1351: 18:17:19.222782 192.168.13.61.51215 > 224.0.0.252.5355: udp 22
1354: 18:17:19.625898 192.168.13.61.59914 > 224.0.0.252.5355: udp 22
1355: 18:17:19.640301 192.168.13.61.51215 > 224.0.0.252.5355: udp 22
1357: 18:17:19.960155 192.168.13.61.137 > 192.168.13.255.137: udp 50
1358: 18:17:20.711038 192.168.13.61.137 > 192.168.13.255.137: udp 50
1380: 18:17:29.141365 192.168.13.61.54878 > 157.56.144.215.3544: udp 61
1607: 18:18:01.178396 192.168.13.61.59033 > 224.0.0.252.5355: udp 30
1609: 18:18:01.435142 192.168.13.61.137 > 192.168.13.255.137: udp 50
1611: 18:18:01.438621 192.168.13.61.60026 > 224.0.0.252.5355: udp 22
1613: 18:18:01.439323 192.168.13.61.62864 > 224.0.0.252.5355: udp 22
1615: 18:18:01.556321 192.168.13.61.59033 > 224.0.0.252.5355: udp 30
1617: 18:18:01.852403 192.168.13.61.60026 > 224.0.0.252.5355: udp 22
1619: 18:18:01.855592 192.168.13.61.62864 > 224.0.0.252.5355: udp 22
1623: 18:18:01.992487 192.168.13.61.51085 > 224.0.0.252.5355: udp 30
1625: 18:18:02.205738 192.168.13.61.137 > 192.168.13.255.137: udp 50
1627: 18:18:02.403253 192.168.13.61.51085 > 224.0.0.252.5355: udp 30
1628: 18:18:02.954937 192.168.13.61.137 > 192.168.13.255.137: udp 50
1633: 18:18:04.393839 192.168.13.61.137 > 192.168.13.255.137: udp 50
1636: 18:18:04.397318 192.168.13.61.62878 > 224.0.0.252.5355: udp 22
1639: 18:18:04.805988 192.168.13.61.62878 > 224.0.0.252.5355: udp 22
1642: 18:18:05.143394 192.168.13.61.137 > 192.168.13.255.137: udp 50
1644: 18:18:05.906111 192.168.13.61.137 > 192.168.13.255.137: udp 50
1709: 18:18:21.675013 192.168.13.61.137 > 192.168.13.255.137: udp 50
1711: 18:18:21.686381 192.168.13.61.60734 > 224.0.0.252.5355: udp 22
1713: 18:18:21.686991 192.168.13.61.53861 > 224.0.0.252.5355: udp 22
1716: 18:18:22.085627 192.168.13.61.53861 > 224.0.0.252.5355: udp 22
1717: 18:18:22.086055 192.168.13.61.60734 > 224.0.0.252.5355: udp 22
1718: 18:18:22.431587 192.168.13.61.137 > 192.168.13.255.137: udp 50

Dinesh Moudgil · ‎03-08-2016

From the debug outputs, we can see that ICMP request is going out but we are not getting any ICMP reply.

ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=194 len=32
ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=195 len=32
ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=196 len=32
ndICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=197 len=32

This proves that we are sending the packet but we are not getting any reply.
Does not look like ASA is doing anything fishy here and is working as expected.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

Thanks Dinesh!

I´ll see the other side.

Dinesh Moudgil · ‎03-08-2016

Glad to help Marcio !

Please let me know if you run into any issues.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Aditya Ganjoo · ‎03-08-2016

Hi Marcio,

Could you share the sh run nat output ?

It can be the issue that we are having overlapping NAT statements.

Regards,

Aditya

Please rate helpful posts.

marcio.tormente · ‎03-08-2016

Hi,

Follow the command output

likasa# sh run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.14.0_25 NETWORK_OBJ_192.168.14.0_25 no-proxy-arp route-lookup
nat (inside,outside1) source static any any destination static NETWORK_OBJ_192.168.14.0_25 NETWORK_OBJ_192.168.14.0_25 no-proxy-arp route-lookup
nat (inside,outside1) source static LAN-NAT LAN-NAT destination static NETWORK_OBJ_192.168.14.0_25 NETWORK_OBJ_192.168.14.0_25 no-proxy-arp route-lookup
!
object network LAN-NAT
nat (inside,outside) dynamic interface
object network LAN-NAT1
nat (inside,outside1) dynamic interface
object network WiFi_Guest
nat (inside,outside1) dynamic interface
likasa#

Aditya Ganjoo · ‎03-08-2016

Hi Marcio,

Could you let us know what traffic are you testing for ?

What is the source and destination ?

Do we have a NAT statement for the traffic ?

Regards,

Aditya

Please rate helpful posts.

marcio.tormente · ‎03-08-2016

Aditya,

I trying to access SSH, but even ping I can´t.

There is no special NAT for this traffic.

This IP is from customer´s router and there is no ACL in this router.

The origem of the traffic is my inside network (192.168.13.0/24)