Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
7
Helpful
4
Replies

Binding inside nat statement to outermost interface

apavlikova
Community Member

‎05-24-2006 02:33 PM - edited ‎03-09-2019 03:01 PM

Hello,

I think I've achieved ASA misconfiguration somehow.

After adding nat like that:

nat (wifiguest) 1 10.10.27.0 255.255.255.0 I got the warning:

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

*** Output from config line 128, "nat (wifiguest) 1 10.10.....

Do you know what could cause such warnings? I'll attach the configuration.

And something different has happened.

Anytime I want to see sh xlate, I'll get:

0 in use, 0 most used

Global 76.104.93.3 Local 0.0.0.0

Global 76.104.93.3 Local 0.0.0.0, but there no such global nat available, such IP addresses are'nt in the configuration at all

(sh run | in 76. = the result is zero). That IP address changes everytime I reboot ASA device.

I really appreciate any help.

Best regards,

Ada

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎05-24-2006 04:47 PM

You have this in your config:

interface GigabitEthernet0/0

nameif outside

security-level 100

ip address [omitted]

where you've set the security-level of the outside interface to 100, the least secure it can be. This is a big no-no and I'm pretty sure you didn't mean to do this. Change this to 0 as soon as you can.

Because the outside int has inadvertently been set as the least secure interface, your most secure interface has become "wifiguest" also with a security-level of 0. You don't usually define nat statements for the least secure interface, unless you want to do a function called "outside NAT" which you probably don't if you don't know what it is. This is also what the error message is telling you.

I would recommend setting outside to security-level 0, defining wifiguest to security-level 1, then you'll be able to define a nat/global pair for them to access the outside int as normal.

apavlikova
Community Member
In response to gfullage

‎05-24-2006 09:52 PM

Well, I definitely do not mean to do this and don't want to do outside NAT either. Sorry for wasting your time.

What's with the second issue?:

a(config)# sh xlate

0 in use, 0 most used

Global 140.34.231.3 Local 0.0.0.0

a(config)# sh run | in 140.34.231.3

a(config)#

Thanks in idvance.

P.S. It is possible to delete (or take off) my previous .txt attachment BTW?

0 Helpful

apavlikova
Community Member
In response to apavlikova

‎05-25-2006 10:16 PM

Hello again,

I've already figured out what it is triggered with. It's dhcp relay enablin on interface.

Thanks for help.

0 Helpful

john.king
Community Member

‎05-26-2006 03:10 PM

Your usage of the nat statement may be wrong. nat (wifiguest) should be nat (inside) or (the name of your inside interface) The error message is telling you that the usage of the NAT command is wrong and you are probebly using a name that doesnt match your interface name. Sh xlate will show any translations being used, if you have it mis configured then there will be no translations.

Customers Also Viewed These Support Documents