08-19-2016 09:51 AM - edited 03-08-2019 07:04 AM
Hello all,
I have configured the following for any traffic going from inside the ASA to the outside:
object network INTERNAL-NETWORK
subnet 10.30.0.0 255.255.0.0
object network INTERNAL-NETWORK
nat (inside,outside) dynamic interface
For some reason it does not appear to work. If I ping from host 10.30.11.4 it doesn't apply any NAT rules and just carries on with the private address.
Am I missing any configuration?
Appreciate any help.
Matt
08-19-2016 11:29 AM
Hi;
There is no issue with reference to Nat configuration, the issue might be routing issue, firewall policy or interface configuration.
Can you share the firewall configuration if its possible?
Thanks & Best regards;
08-19-2016 11:58 AM
Hello Ahmed,
Here is ASA config:
hostname xxxx
domain-name test
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 170.25.1.1 255.255.255.252
!
object network INTERNAL-NETWORK
subnet 10.30.0.0 255.255.0.0
description "Internal network"
object network TEST
host 10.30.11.4
!
route inside 10.30.11.0 255.255.255.0 10.30.11.1 1
route inside 10.30.12.0 255.255.255.0 10.30.12.1 1
route inside 10.30.13.0 255.255.255.0 10.30.13.1 1
route inside 10.30.111.0 255.255.255.0 10.30.111.1 1
route inside 10.30.112.0 255.255.255.0 10.30.112.1 1
route inside 10.30.113.0 255.255.255.0 10.30.113.1 1
route inside 10.30.99.0 255.255.255.0 10.30.99.1 1
route inside 10.30.100.0 255.255.255.0 10.30.100.1 1
route inside 10.30.200.0 255.255.255.0 10.30.200.1 1
route inside 10.30.210.0 255.255.255.0 10.30.210.1 1
route inside 10.30.220.0 255.255.255.0 10.30.220.1 1
route outside 0.0.0.0 0.0.0.0 170.25.1.2 1
!
access-list IN-BASIC-PERMIT extended permit icmp any any echo-reply
!
!
access-group IN-BASIC-PERMIT in interface outside
object network INTERNAL-NETWORK
nat (inside,outside) dynamic interface
object network TEST
nat (inside,outside) dynamic interface
!
aaa authentication ssh console LOCAL
!
!
username admin password 4IncP7vTjpaba2aF encrypted
!
!
!
!
telnet timeout 5
ssh 10.30.0.0 255.255.0.0 inside
ssh 10.30.12.0 255.255.255.0 inside
ssh timeout 10
!
dhcpd auto_config outside
!
!
!
!
!
!
SWA-ASA-1#
08-19-2016 12:06 PM
Hi;
The issue which I found in firewall is due to configure route. Take a example
route inside 10.30.11.0 255.255.255.0 10.30.11.1 1 (10.30.11.1 is the wrong gateway configure on firewall)
It should be - route inside 10.30.11.0 255.255.255.0 10.1.1.X (where X is the IP address of the device which have the routes of 10.30.X.X network.
Please remove all the route 10.30.X.X network and re-add the route with proper gateway 10.1.1.X.
Thanks & Best regards;
08-20-2016 01:13 AM
Hi Ahmed,
I have amended the routes as suggested.
I still however can't get an outbound ping to follow the NAT rule.
On a trace it states that it does not match any NAT rules and just passes the packet with the private IP address.
I have even just tried applying NAT to the single host that is generating the ICMP request and it still doesn't work.
Thanks
Matt
08-20-2016 03:53 AM
Hi Matt;
Can you share the output of packet tracer?
packet-tracer input inside tcp 10.30.11.X 80 8.8.8.8 80
Thanks & Best regards;
08-20-2016 05:51 AM
Hi Ahmed,
Unfortunately I am simulating this setup in Cisco Packet Tracer which doesn't have that command available.
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide