Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
5
Replies

Traffic Other than ICMP does not Get Policy NATed

wittyenggs
Level 1
Level 1

‎04-04-2013 01:07 AM - edited ‎03-11-2019 06:23 PM

Hi Folks,

            I have applied policy based NAT on one ASA firewall. Assume that Source Inside Network is 192.168.1.0 and destination (Outside) network is 192.168.2.0. Now using Policy NAT i am translating source Subnet 192.168.1.0 to a global address 192.168.2.10.

access-list 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 15 access-list 1

global (outside) 15 192.168.2.10 netmask 255.255.255.255

Now what i observe is when i do ping to a Destination IP 192.168.2.20, the source IPs (192.168.1.0/24) get translated to 192.168.2.10.

However when i try to take RDP of the same system, the source IPs do not get translated.

And i am completely perturbed as to why this inconsistency.

Kindly Help.

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎04-04-2013 02:32 AM

Hi,

I dont know your exact software version but can you confirm this with the "packet-tracer" command on the firewall also and copy/paste output here.

packet-tracer input inside tcp 192.168.1.100 12345 192.168.2.20 3389

- Jouni

0 Helpful

wittyenggs
Level 1
Level 1
In response to Jouni Forss

‎04-04-2013 04:20 AM

Hi Jouni,

            Thanks a lot for your reply. Had a query with the command, the source port can be anything...any specific reason why you gave 12345??

Also this firewall is under production and around 300 odd users are occupying the internal subnet. By Running this command, will there be an increase in the CPU Utilization?? If so then can you suggest some other method maybe

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to wittyenggs

‎04-04-2013 04:45 AM

Hi,

Source port can usually be anything you want. There is no specific reason why I used that port in particular.

This is a very basic troubleshooting command on the Cisco firewalls. I would imagine it doesnt stress the firewall any more than an actual single connection forming through it. Though it doesnt actually generate any traffic.

The command output will tell us information about the Routing, ACL and NAT related to the connection being simulated for example.

- Jouni

0 Helpful

wittyenggs
Level 1
Level 1
In response to Jouni Forss

‎04-04-2013 05:33 AM

Hi Jouni,

            I guess the software version 7.0 (8) does not support this command. Its a Cisco ASA 5510 Hardware. Can you provide an alternate solution for troubleshooting this issue.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to wittyenggs

‎04-04-2013 05:39 AM

Hi,

It might be that you would need 7.2 software if I remember correctly.

I would probably first check ASDM logs while testing the connection and see what translation and connection forming messages I see.

I would naturally see the whole NAT configuration of the device which I could go through to see if there is anything wrong there. If there is possibly some other NAT configuration causing problems.

I would suggest considering an update for the firewall software. If you dont want major changes to the configuration format then software 8.2(5) would probably be the newest version for you.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card