Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2529
Views
0
Helpful
1
Replies

Issue with NAT return traffic

Go to solution
JHarpole
Level 1
Level 1

‎11-26-2019 07:44 AM

I am having a hug issue with an ASA configuration. I have set this up in a simulation environment and with live gear with the same results. When I configure NAT the traffic from my internal network going to the outside destination and a reply is sent but is dropped at the firewall. I have done a traffic capture and see the traffic arriving at the destination and see the return traffic, but it never makes it back in. My understanding is that the ASA will do traffic inspection by default, so this inspected traffic should be allowed back in, and the concept of state-full inspection. 

 

I am using a ASA 5506x - (9.6)

 

**interfaces**

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 172.16.0.1 255.255.255.0

 

interface GigabitEthernet1/2

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

 

**objects**

object network inside_network

subnet 192.168.0.0 255.255.255.0

 

**NAT**

object network inside_network

nat (inside,outside) dynamic interface

 

Like I said the traffic is getting out and is being translated, and is showing up with xlate, just not getting back in. I am pulling my hair out as all the documentation i find says this is correct.

 

Thank you,

*** FULL CONFIG IN ATTACHED FILE ***

 

Labels:
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JHarpole
Level 1
Level 1

‎11-26-2019 10:17 AM

I was able to get this working by adding in the following

 

class-map inspection_default
  match default-inspection-traffic

policy-map global_policy
  class inspection_default

    inspect http

    inspect icmp

service-policy global_policy global

 

Once I added this traffic was flowing correctly. it was my understanding that the ASA would do a state-full inspection of outgoing traffic. So when I applied the NAT my assumption was that the traffic was getting inspected. Can anyone help me understand why it was not? 

 

Also when adding in the "inspect" lines, in my current environment "simulated"  I only get the choices of dns,ftp,h323,http,icmp,tftp. Is there a "default" or "any" so the ASA will inspect all outgoing traffic? 

 

Thank you for your help 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
JHarpole
Level 1
Level 1

‎11-26-2019 10:17 AM

I was able to get this working by adding in the following

 

class-map inspection_default
  match default-inspection-traffic

policy-map global_policy
  class inspection_default

    inspect http

    inspect icmp

service-policy global_policy global

 

Once I added this traffic was flowing correctly. it was my understanding that the ASA would do a state-full inspection of outgoing traffic. So when I applied the NAT my assumption was that the traffic was getting inspected. Can anyone help me understand why it was not? 

 

Also when adding in the "inspect" lines, in my current environment "simulated"  I only get the choices of dns,ftp,h323,http,icmp,tftp. Is there a "default" or "any" so the ASA will inspect all outgoing traffic? 

 

Thank you for your help 

0 Helpful
Customers Also Viewed These Support Documents