12-10-2015 07:18 AM - edited 03-12-2019 12:01 AM
Guys,
I am trying to get my Anyconnect client 192.168.17.0 /24 to get to 10.45.2.4 (outside), and use the following network ip 10.120.253/24. But I am getting the below error message when I run a packet tracer. What does it mean that there is no matching global?
access-list NAT-CORP extended permit ip 192.168.17.0 255.255.255.0 10.0.0.0 255.0.0.0
static (outside,outside) 10.120.253.0 access-list NAT-CORP
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 97, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc4f618, priority=1, domain=nat, deny=false
hits=1178685, user_data=0xabc4f558, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
packet-tracer input inside icmp 192.168.17.118 8 0 10.45.2.4 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf8f5c60, priority=12, domain=capture, deny=false
hits=26026931037, user_data=0xafad6c28, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8c8d98, priority=1, domain=permit, deny=false
hits=13489429595, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Temporarily allow internet access RO 10/22/12
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc9be18, priority=12, domain=permit, deny=false
hits=504856609, user_data=0xa8b08400, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8cb948, priority=0, domain=inspect-ip-options, deny=true
hits=987894669, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8cb5c0, priority=66, domain=inspect-icmp-error, deny=false
hits=83512857, user_data=0xab8cb4a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaedb9800, priority=17, domain=flow-export, deny=false
hits=807619908, user_data=0xae491400, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb0384c78, priority=12, domain=debug-icmp-trace, deny=false
hits=79593576, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
match ip inside any inside 192.168.17.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 10
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc00928, priority=6, domain=nat-exempt-reverse, deny=false
hits=10, user_data=0xabc006b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.17.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 97, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc4f618, priority=1, domain=nat, deny=false
hits=1178685, user_data=0xabc4f558, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
12-10-2015 11:20 PM
Can you share the output of sh nat ? The nat statement you shared is outside-outside but the packet tracer is inside-outside. Can you also share your config?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: