Can you share the output of

Chad Campbell · ‎12-10-2015

Guys,

I am trying to get my Anyconnect client 192.168.17.0 /24 to get to 10.45.2.4 (outside), and use the following network ip 10.120.253/24. But I am getting the below error message when I run a packet tracer. What does it mean that there is no matching global?

access-list NAT-CORP extended permit ip 192.168.17.0 255.255.255.0 10.0.0.0 255.0.0.0

static (outside,outside) 10.120.253.0 access-list NAT-CORP

Phase: 10

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 97, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabc4f618, priority=1, domain=nat, deny=false

hits=1178685, user_data=0xabc4f558, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

packet-tracer input inside icmp 192.168.17.118 8 0 10.45.2.4 det

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xaf8f5c60, priority=12, domain=capture, deny=false

hits=26026931037, user_data=0xafad6c28, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8c8d98, priority=1, domain=permit, deny=false

hits=13489429595, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.0.0.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

access-list inside_access_in remark Temporarily allow internet access RO 10/22/12

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabc9be18, priority=12, domain=permit, deny=false

hits=504856609, user_data=0xa8b08400, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8cb948, priority=0, domain=inspect-ip-options, deny=true

hits=987894669, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8cb5c0, priority=66, domain=inspect-icmp-error, deny=false

hits=83512857, user_data=0xab8cb4a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xaedb9800, priority=17, domain=flow-export, deny=false

hits=807619908, user_data=0xae491400, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb0384c78, priority=12, domain=debug-icmp-trace, deny=false

hits=79593576, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

match ip inside any inside 192.168.17.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 10

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabc00928, priority=6, domain=nat-exempt-reverse, deny=false

hits=10, user_data=0xabc006b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=192.168.17.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 97, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabc4f618, priority=1, domain=nat, deny=false

hits=1178685, user_data=0xabc4f558, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Andre Neethling · ‎12-10-2015

Can you share the output of sh nat ? The nat statement you shared is outside-outside but the packet tracer is inside-outside. Can you also share your config?

No Matching Global error