Solved: Re: Packet Tracer - ASA NAT Problem

shugonaka · ‎10-06-2019

Hi all,

I created a simple network in Cisco Packet Tracer for testing a simulated internet access with an ASA5506 and a L3 switch.

I am trying to get PC0 ping 8.8.8.8 through the network but it fails with "Request timed out".

ASA0 can ping 8.8.8.8

Core L3 Switch has ip routing enabled.

Core L3 Switch can ping ASA0 and 8.8.8.8.

PC0 can ping Core L3 Switch and ASA0 inside interface but not outside interface.

8.8.8.8 can ping ASA0 outside interface.

When Core L3 Switch ping 8.8.8.8, I see a NAT translation in sh xlate command but when PC0 ping 8.8.8.8, nothing shows in sh xlate. So I am guessing it's a NAT problem but I can't seem to find the culprit despite it's a simple setup.

Here's the applicable ASA0 and the Core L3 SW config.

ASA0:

interface GigabitEthernet1/1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet1/2

nameif outside

security-level 0

ip address 100.100.100.2 255.255.255.252

!

object network obj-lan

subnet 10.0.0.0 255.0.0.0

!

route outside 0.0.0.0 0.0.0.0 100.100.100.1 1

route inside 10.16.18.0 255.255.255.0 10.10.10.2 1

!

access-list acl-inside-out extended permit ip any any

access-list acl-outside-in extended permit icmp any any

!

access-group acl-inside-out in interface inside

access-group acl-outside-in in interface outside

object network obj-lan

nat (inside,outside) dynamic interface

!

Core L3 Switch:

no ip cef

ip routing

!

no ipv6 cef

!

spanning-tree mode pvst

!

interface GigabitEthernet1/0/1

switchport access vlan 18

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/24

switchport access vlan 10

switchport mode access

switchport nonegotiate

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

mac-address 0001.428a.5e01

ip address 10.10.10.2 255.255.255.0

!

interface Vlan18

mac-address 0001.428a.5e02

ip address 10.16.18.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.1

!

ip flow-export version 9

jalejand · ‎10-06-2019

You are likely hitting a packet tracer bug. Your configuration is fine.

Tried it on VIRL and it works:

ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

ICMP PAT from inside:10.10.10.2/0 to outside:100.100.100.2/25215 flags ri idle 0:00:00 timeout 0:00:30
ciscoasa# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

ICMP PAT from inside:10.10.10.2/0 to outside:100.100.100.2/25215 flags ri idle 0:00:09 timeout 0:00:30
ICMP PAT from inside:10.16.18.10/1 to outside:100.100.100.2/1 flags ri idle 0:00:00 timeout 0:00:30
ciscoasa#

Int config:

ASA Version 9.9(2) 
!
hostname ciscoasa
enable password $sha512$5000$LIuEniMbWtxU/3PSRiZerg==$UYUOp3RHITaZuEGhJOKe8Q== pbkdf2
names

!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 100.100.100.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!

Router 2 has a loopack with your LAN subnet 10.16.18.0/24
Router 1 has a loopback with 8.8.8.8
LAN segments are the same.

View solution in original post

luis_cordova · ‎10-06-2019

Hi @shugonaka

PacketTracer bugs can be reported on this portal:

https://www.ptnetacad.net/bugzilla/enter_bug.cgi?product=Packet%20Tracer%207&Bugzilla_restrictlogin=on

Regards

View solution in original post

Georg Pauwen · ‎10-06-2019

Hello,

post your Packet Tracer project (.pkt) file, zip it first otherwise the system won't let you upload it...

shugonaka · ‎10-06-2019

Attached is the Packet Tracer pkt file. Thanks!

Deepak Kumar · ‎10-08-2019

Hi,

This is looking as Packet tracer bug and NAT is not working due to bug. I am getting untranslated packet on the router as

ICMP: echo reply sent, src 100.100.100.1, dst 10.16.18.10

ciscoasa#sho xlate
0 in use, 0 most used

ciscoasa#sho nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic obj-lan interface

translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source dynamic obj-lan2 interface

translate_hits = 0, untranslate_hits = 0

(Tried with some custome object also).

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

jalejand · ‎10-06-2019

You are likely hitting a packet tracer bug. Your configuration is fine.

Tried it on VIRL and it works:

ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

ICMP PAT from inside:10.10.10.2/0 to outside:100.100.100.2/25215 flags ri idle 0:00:00 timeout 0:00:30
ciscoasa# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

ICMP PAT from inside:10.10.10.2/0 to outside:100.100.100.2/25215 flags ri idle 0:00:09 timeout 0:00:30
ICMP PAT from inside:10.16.18.10/1 to outside:100.100.100.2/1 flags ri idle 0:00:00 timeout 0:00:30
ciscoasa#

Int config:

ASA Version 9.9(2) 
!
hostname ciscoasa
enable password $sha512$5000$LIuEniMbWtxU/3PSRiZerg==$UYUOp3RHITaZuEGhJOKe8Q== pbkdf2
names

!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 100.100.100.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!

Router 2 has a loopack with your LAN subnet 10.16.18.0/24
Router 1 has a loopback with 8.8.8.8
LAN segments are the same.

shugonaka · ‎10-06-2019

Thanks for looking into it! I'm glad it's not the config. Is there a Cisco portal to report and request for the big fix?

luis_cordova · ‎10-06-2019

Hi @shugonaka

PacketTracer bugs can be reported on this portal:

https://www.ptnetacad.net/bugzilla/enter_bug.cgi?product=Packet%20Tracer%207&Bugzilla_restrictlogin=on

Regards

shugonaka · ‎10-06-2019

Thanks for the link! Appreciate it.

Georg Pauwen · ‎10-07-2019

Hello,

on a side note, if you use the 5505 instead of the 5506-X and make some configuration changes, you can get it to work. I have attached the adapted project file where I replaced the 5506-X with the 5505. On the Core L3 Switch, make sure you configure 'ip proxy-arp' under interface Vlan 10 (it won't show up in the running config). On the ASA, change the mask of the inside interface to 255.0.0.0, so it matches your network object 'obj-lan':

Core L3 Switch

interface Vlan10
--> ip proxy-arp
mac-address 0001.428a.5e01
ip address 10.10.10.2 255.255.255.0

ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0

--> connected to Core L3 Switch
switchport access vlan 10
!
interface Ethernet0/1

--> connected to ISP Router
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
no security-level
no ip address
shutdown
!
interface Vlan2
nameif outside
security-level 0
ip address 100.100.100.2 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
ip address 10.10.10.1 255.0.0.0
!
object network obj-lan
subnet 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 100.100.100.1 1
route inside 10.0.0.0 255.0.0.0 10.10.10.2 1
!
access-list IP extended permit ip any any
access-list ICMP extended permit icmp any any
!
access-group IP in interface inside
access-group ICMP in interface outside
!
object network obj-lan
nat (inside,outside) dynamic interface
!
class-map icmp-class
match default-inspection-traffic
!
policy-map icmp_policy
class icmp-class
inspect icmp
!
service-policy icmp_policy global
!
telnet timeout 5
ssh timeout 5
!

shugonaka · ‎10-07-2019

@Georg PauwenThis is a great workaround! I will give it a try. Thank you!

shugonaka · ‎10-08-2019

@Georg Pauwen,So I replaced ASA5506 with 5505 and made changes on the config per your suggestion but ping from PC0 still does not pass through the ASA. It is not being NAT'd. Ping from Core L3 Switch to outside still works as expected.

Maybe it's PT version specific bug? I have version 7.2.2.0418.

Georg Pauwen · ‎10-08-2019

Hello,

post the zipped project file with the 5505, I want to see if it works in my version...

Georg Pauwen · ‎10-09-2019

Also, did you open the file I sent (I reattached it) ? Does that not work either ?

I am using version 7.2.2.0418 by the way...

Deepak Kumar · ‎10-09-2019

Hi @Georg Pauwen

It is tested with 5505 and it is working. I also tested in the morning and your lab also. But we are facing this issue with 5506. I am not sure why but NATing is not happening.

The inspection may block the return traffic but as per debug logs, I am getting PC0 IP as the source on the router (ISP) in the ICMP packet.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

shugonaka · ‎10-09-2019

@Georg Pauwen @Deepak Kumar, I just tested the rev.pkt and NAT was working. I went back into my pkt file again to find the differences and found nothing. I then ping from PC0 to 8.8.8.8 and it went through this time. It was NAT'd correctly on the ASA. Not sure why it did not work last night. In any case, thanks again for your time and help!