12-10-2015 07:18 AM - edited 03-12-2019 12:01 AM
Guys,
I am trying to get my Anyconnect client 192.168.17.0 /24 to get to 10.45.2.4 (outside), and use the following network ip 10.120.253/24. But I am getting the below error message when I run a packet tracer. What does it mean that there is no matching global?
access-list NAT-CORP extended permit ip 192.168.17.0 255.255.255.0 10.0.0.0 255.0.0.0
static (outside,outside) 10.120.253.0 access-list NAT-CORP
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 97, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc4f618, priority=1, domain=nat, deny=false
hits=1178685, user_data=0xabc4f558, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
packet-tracer input inside icmp 192.168.17.118 8 0 10.45.2.4 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf8f5c60, priority=12, domain=capture, deny=false
hits=26026931037, user_data=0xafad6c28, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8c8d98, priority=1, domain=permit, deny=false
hits=13489429595, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Temporarily allow internet access RO 10/22/12
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc9be18, priority=12, domain=permit, deny=false
hits=504856609, user_data=0xa8b08400, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8cb948, priority=0, domain=inspect-ip-options, deny=true
hits=987894669, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8cb5c0, priority=66, domain=inspect-icmp-error, deny=false
hits=83512857, user_data=0xab8cb4a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaedb9800, priority=17, domain=flow-export, deny=false
hits=807619908, user_data=0xae491400, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb0384c78, priority=12, domain=debug-icmp-trace, deny=false
hits=79593576, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
match ip inside any inside 192.168.17.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 10
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc00928, priority=6, domain=nat-exempt-reverse, deny=false
hits=10, user_data=0xabc006b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.17.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 97, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc4f618, priority=1, domain=nat, deny=false
hits=1178685, user_data=0xabc4f558, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
12-10-2015 11:20 PM
Can you share the output of sh nat ? The nat statement you shared is outside-outside but the packet tracer is inside-outside. Can you also share your config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide