cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
463
Views
0
Helpful
5
Replies

Traffic Other than ICMP does not Get Policy NATed

wittyenggs
Level 1
Level 1

Hi Folks,

            I have applied policy based NAT on one ASA firewall. Assume that Source Inside Network is 192.168.1.0 and destination (Outside) network is 192.168.2.0. Now using Policy NAT i am translating source Subnet 192.168.1.0 to a global address 192.168.2.10.

access-list 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 15 access-list 1

global (outside) 15 192.168.2.10 netmask 255.255.255.255

Now what i observe is when i do ping to a Destination IP 192.168.2.20, the source IPs (192.168.1.0/24) get translated to 192.168.2.10.

However when i try to take RDP of the same system, the source IPs do not get translated.

And i am completely perturbed as to why this inconsistency.

Kindly Help.

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I dont know your exact software version but can you confirm this with the "packet-tracer" command on the firewall also and copy/paste output here.

packet-tracer input inside tcp 192.168.1.100 12345 192.168.2.20 3389

- Jouni

Hi Jouni,

            Thanks a lot for your reply. Had a query with the command, the source port can be anything...any specific reason why you gave 12345??

Also this firewall is under production and around 300 odd users are occupying the internal subnet. By Running this command, will there be an increase in the CPU Utilization?? If so then can you suggest some other method maybe

Hi,

Source port can usually be anything you want. There is no specific reason why I used that port in particular.

This is a very basic troubleshooting command on the Cisco firewalls. I would imagine it doesnt stress the firewall any more than an actual single connection forming through it. Though it doesnt actually generate any traffic.

The command output will tell us information about the Routing, ACL and NAT related to the connection being simulated for example.

- Jouni

Hi Jouni,

            I guess the software version 7.0 (8) does not support this command. Its a Cisco ASA 5510 Hardware. Can you provide an alternate solution for troubleshooting this issue.

Hi,

It might be that you would need 7.2 software if I remember correctly.

I would probably first check ASDM logs while testing the connection and see what translation and connection forming messages I see.

I would naturally see the whole NAT configuration of the device which I could go through to see if there is anything wrong there. If there is possibly some other NAT configuration causing problems.

I would suggest considering an update for the firewall software. If you dont want major changes to the configuration format then software 8.2(5) would probably be the newest version for you.

- Jouni

Review Cisco Networking for a $25 gift card