Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
4
Replies

Question about Static NAT in the ASA

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎09-03-2019 11:50 AM - edited ‎09-03-2019 12:07 PM

KakaoTalk_20190904_033444240.jpg

 

Hi!!

I hope the ASA will NAT 192.168.247.15 to 94.16 !!

So I was NAT configured.

However, an external server cannot ping 94.16.

Have I made a mistake in configuration ??

I attach config to this.

 

-----------------------------------------------------------------

Interface Configured

interface Redundant1

 member-interface GigabitEthernet1/1

 member-interface GigabitEthernet1/2

 nameif OA

 security-level 0

 ip address 192.168.94.11 255.255.255.0 

!

interface Redundant2

 member-interface GigabitEthernet1/7

 member-interface GigabitEthernet1/8

 nameif FA

 security-level 0

 ip address 192.168.247.11 255.255.255.0 

 

ciscoasa# sh run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OA

icmp permit any FA

 

ciscoasa# sh run same 

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

 

NAT Configured

object network TCO
host 192.168.247.15
nat (FA,OA) static 192.168.94.16

 

ciscoasa# sh xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from FA:192.168.247.15 to OA:192.168.94.16
flags s idle 0:21:53 timeout 0:00:00

 

ciscoasa# sh nat

Auto NAT Policies (Section 2)
1 (FA) to (OA) source static TCO 192.168.94.16
translate_hits = 6, untranslate_hits = 358
-----------------------------------------------------------------

 

Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Georg Pauwen

‎09-22-2019 09:35 PM

Thank you for your answers.

But the cause was elsewhere.

It was a matter of policy at the top of the Internet firewall.

I couldn't figure it out easily because that firewall isn't my jurisdiction.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎09-03-2019 02:07 PM

Hello,

 

the NAT configuration looks good actually.

 

Try and add 'inspect icmp' to the global policy:

 

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

inspect icmp

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Georg Pauwen

‎09-03-2019 05:59 PM

Hello. I configured inspect icmp. but the problem is still there.
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to JustTakeTheFirstStep

‎09-03-2019 11:58 PM

Hello, 

 

can the external IP address reach the internal web server through any other port, e.g. 80 or 443 ?

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Georg Pauwen

‎09-22-2019 09:35 PM

Thank you for your answers.

But the cause was elsewhere.

It was a matter of policy at the top of the Internet firewall.

I couldn't figure it out easily because that firewall isn't my jurisdiction.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card