Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.



I came into my job a while ago and somebody had been messing around in this ASA and they were using a different firewall for thier PAT.  I want to use my ASA (shouldn't need to explain why on this forum).

As far as I can tell, traffic is clearing the access lists and being past out the interface, but the NAT isn't happening,

Here's what I mean, this was captured from the public interface showing the original source address:

1: 21:41:38.009154 > icmp: echo request

the same sort of thing happens when I try a source address that should trigger the PAT.

Can somebody please help me see what I'm missing in this config, I'm going insane.

ASA Version 7.0(6)
hostname cs-ais-asa
interface Ethernet0/0
nameif PUBLIC
security-level 0
ip address yyy.yyy.yyy.yyy
interface Ethernet0/1
nameif LAN
security-level 100
ip address
interface Ethernet0/2
description SIP INT
nameif DMZ_SIP
security-level 50
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
passwd eKmqHO4KGDP8LA6F encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list LAN_nat0_inbound extended permit ip
access-list LAN_nat0_inbound extended permit ip any any
access-list LAN_nat0_inbound extended permit ip
access-list LAN_nat0_inbound extended permit ip
access-list PUBLIC_access_in extended permit tcp any any
access-list split standard permit
access-list split standard permit
access-list split standard permit
access-list split standard permit
access-list split standard permit
access-list split standard permit
access-list split remark Vlan 10
access-list split standard permit
access-list Firewall extended permit ip any any
access-list PUBLIC_access_in_V1 extended permit icmp any host log
access-list PUBLIC_cryptomap_20 remark Convergence Office
access-list PUBLIC_cryptomap_20 extended permit ip
access-list capture extended permit icmp any any
access-list icmp_capture extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu PUBLIC 1500
mtu LAN 1500
mtu DMZ_SIP 1500
mtu management 1500
ip local pool ASAPOOL2 mask
ip local pool ASAPOOL1 mask
icmp permit any PUBLIC
icmp permit any LAN
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (PUBLIC) 10 interface
nat (LAN) 0 access-list LAN_nat0_inbound
nat (LAN) 10
nat (LAN) 10
static (LAN,PUBLIC) netmask
access-group PUBLIC_access_in_V1 in interface PUBLIC
route PUBLIC 1
route LAN 1
route LAN 1
route LAN 1
route LAN 1
route LAN 1
route LAN 1
route LAN 1
route LAN 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list Mitel "200icp ssl"
url-list Mitel "3300icp ssl"
url-list Mitel "3300Mxe"
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy
  port-forward-name value Application Access
group-policy convergencesys internal
group-policy convergencesys attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
http server enable
http LAN
http LAN
http LAN
http LAN
snmp-server host LAN community public udp-port 161
snmp-server location AIS datacenter
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
ssh timeout 5
ssh version 2
console timeout 4
management-access LAN
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
enable PUBLIC
logo file disk0:/signature.jpg
authorization-server-group LOCAL
default-group-policy convergencesys
authentication aaa certificate
: end


I didnt spend too much time looking at this but one thing sticks out at first glance. you have a permit any any line in your nat0 ACL. This line says: " do not nat packets from any source address to any destination address". It could be overiding you nat10 statement. I would remove that line and try again.

Thanks, I'll try playing with the NAT0 and see what happens!