ā11-08-2010 10:10 AM - edited ā03-11-2019 12:06 PM
Hello Everybody,
I am configure an ASA and i did the pat and nat, the pat is global and all the LAN-POOL is going out through the outsideĀ“s ip address, but i have some problems with the static NAT:
Here is the config:
nat-control
global (Outside) 1 interface
nat (Inside) 1 Segmento-LAN 255.255.0.0
static (DMZ,Outside) 200.11.138.12 Server-WWW netmask 255.255.255.255
static (DMZ,Outside) 200.11.138.13 Server-Mail-Interno netmask 255.255.255.255
static (DMZ,Outside) 200.11.138.14 Server-Mail-Externo netmask 255.255.255.255
And here is the error:
3 | Mar 02 2003 | 03:15:33 | Server-WWW | portmap translation creation failed for icmp src Inside:192.168.2.244 dst DMZ:Server-WWW (type 8, code 0) |
Any idea, that what could be the cause??
Regards,
ā11-08-2010 10:15 AM
Hi Katherine,
The reason for these errors is that the ASA cannot find a NAT rule to use for this traffic. Since you have nat-control enabled, you'll need to have a NAT rule to match this traffic.
If you don't want to translate this traffic, you can configure something like the following:
access-list nonat permit ip
nat (inside) 0 access-list nonat
If you do want the traffic to be translated, you could do something like this:
global (DMZ) 1 interface
Hope that helps.
-Mike
ā11-08-2010 11:12 AM
Hello,
Jut to add something else, the nat-control will make you to do NAT or translation for every packet traversing the firewall from higher to lower. That is why you will need to use either nonat or the global inside, note that if you use the global inside, you will not be able to access internal resources from the DMZ to the inside using their real IP addresses.
If you use nat0 you will be able to access the DMZ plus the DMZ (if there is an access rule applied) will be able to access the inside network.
Hope this helps.
Mike
ā11-10-2010 06:36 AM
Hi Mike and Mike,
Thanks to your answer I could solve the problem. I did the following:
disable nat-control
And I added this commans:
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 172.16.20.0 255.255.255.0
nat (Inside) 0 access-list nonat
And works!!!
ā11-10-2010 11:26 AM
Hello!! Is me again, like i said before my problem of connectivity between DMZ and Inside was fixed, but i have a little problem, i have the following static nat into DMZ
static (DMZ,outside) 200.11.138.12 172.16.20.10 netmask 255.255.255.255
static (DMZ,outside) 200.11.138.13 172.16.20.11 netmask 255.255.255.255
static (DMZ,outside) 200.11.138.14 172.16.20.12 netmask 255.255.255.255
I can access the servers from outside without problem through the public address, and from the inside I can access throught the private address, but if I try reach the servers from the inside network through the public address of the servers, I do not have access. And I do not have any rule that can blocked the traffic.
Any Idea??
ā11-10-2010 12:50 PM
Hello Kathy,
Hope you are doing great. If your DNS server is on the outside, you can add the keyword DNS to the each one of the statics you have, or you can add the following lines
static (DMZ,inside) 200.11.138.12 172.16.20.10 netmask 255.255.255.255
static (DMZ,inside) 200.11.138.13 172.16.20.11 netmask 255.255.255.255
static (DMZ,inside) 200.11.138.14 172.16.20.12 netmask 255.255.255.255
That is called destination NAT and you can find more information over here.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
Hope it helps.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide