Re: Packet Tracer NAT ASA

JS Ouellet · ‎04-22-2020

HI,

I configured a topology with L3 SVI

10.10.10.0/24 PCs

10.10.20.0/24 PCs

10.10.30.0/24 PCs

192.168.5.0/24 DHCP server

192.168.66.0/24 ASA inside

I use eigrp to distribute routes.

Everything works as expected but not the firewall nat.

I use autonat

object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

I checked with simulation mode icmp pdu, the firewall nat only the traffic from is inside network 192.168.66.0.

Nat ok.PNG No Nat.PNG

If I try to ping with a node in an other network, the source address pass through the firewall unnated.

The enable password on all devices is: toto

What is wrong with my config?

JS

Francesco Molino · ‎04-22-2020

Hi

You want to meet your 5 internal subnets to your asa outside interface when communicating with external services? Eigrp is done between your switch and asa?
Can you share your asa config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Muhammad Awais Khan · ‎04-22-2020

your configuration looks good, can you share your complete config ?

BarinderGhuman · ‎04-22-2020

Hi,

I can see that you have configured dynamic nat, it works only if your traffic initiates from Inside. It dynamically may the source of outgoing packet and keep a session session for the return traffic.

You need to either use port-map if you want to use internal network using Ada's outside IP address or configure static NAT.

Cheers,

Barinder Singh Ghuman

Cheers,
Barinder Singh Ghuman

Georg Pauwen · ‎04-23-2020

Hello,

if possible. post the zipped Packet Tracer project (.pkt) file...

JS Ouellet · ‎04-23-2020

HI,

There is my packet tracer lab file. The enable password is: toto. I had success with NAT using a router dynamic NAT with an ip pool. I still don't know how to configure the ASA correctly.

The firewall config:

ASA Version 9.6(1)

!

hostname ASA5506

domain-name test.com

enable password j/LunF5bRjBb71wO encrypted

names

!

interface GigabitEthernet1/1

nameif inside

security-level 100

ip address 192.168.66.1 255.255.255.0

!

interface GigabitEthernet1/2

nameif outside

security-level 0

ip address 24.24.24.226 255.255.255.252

!

interface GigabitEthernet1/3

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

!

route outside 0.0.0.0 0.0.0.0 24.24.24.225 1

!

access-list inside_to_internet extended permit tcp any any

access-list inside_to_internet extended permit icmp any any

!

access-group inside_to_internet in interface outside

object network OBJ_GENERIC_ALL

nat (inside,outside) dynamic interface

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

router eigrp 1

eigrp router-id 192.168.66.1

network 192.168.0.0 0.0.255.255

!

ASA5506#

Georg Pauwen · ‎04-23-2020

Hello,

it appears to be a bug in Packet Tracer. Have a look at the post below:

https://community.cisco.com/t5/network-security/asa-5505-nat-packet-tracer-only-connected-subnet-nated-not/td-p/3070830

JS Ouellet · ‎04-23-2020

Hi,

Does the bug is documented somewhere in Cisco bug lists? Where can I reach that, I will review before posting if I get another odd behavior.

Thanks all for replies.

Georg Pauwen · ‎04-23-2020

Hello,

actually, I did some testing, and it still does not work. The 'proxy-arp' only seems to work if all subnets belong to the same supernet. You have 192.168 and 10 networks, so the 'solution' does not work.

That said, is this a lab test for a production environment, or an assignment within Packet Tracer ? If it is the first, I would not worry about it, since the configuration will work fine on a real device...

JS Ouellet · ‎04-23-2020

It didn't worked either for me.

I use Packet Tracer now to refresh my knowledge, it's a lot of fun. I use a router now in my lab to dynamic NAT with an ip pool, it works fine.

Thanks for your support.

JS

Georg Pauwen · ‎04-23-2020

Hello,

Packet Tracer can be useful, but it does not have full featured IOS or ASA OS versions, but rather a subset of commands available. So things sometimes might not work as expected...