cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1354
Views
0
Helpful
6
Replies

ASA 5505 - NAT inside to outside not working

matthew.norman
Beginner
Beginner

Hello all,

I have configured the following for any traffic going from inside the ASA to the outside:

object network INTERNAL-NETWORK

subnet 10.30.0.0 255.255.0.0

object network INTERNAL-NETWORK

nat (inside,outside) dynamic interface

For some reason it does not appear to work. If I ping from host 10.30.11.4 it doesn't apply any NAT rules and just carries on with the private address.

Am I missing any configuration?

Appreciate any help.

Matt

6 Replies 6

ahmedshoaib
Enthusiast
Enthusiast

Hi;

There is no issue with reference to Nat configuration, the issue might be routing issue, firewall policy or interface configuration.

Can you share the firewall configuration if its possible?

Thanks & Best regards;

Hello Ahmed,

Here is ASA config:

hostname xxxx

domain-name test

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.2 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

ip address 170.25.1.1 255.255.255.252

!

object network INTERNAL-NETWORK

subnet 10.30.0.0 255.255.0.0

description "Internal network"

object network TEST

host 10.30.11.4

!

route inside 10.30.11.0 255.255.255.0 10.30.11.1 1

route inside 10.30.12.0 255.255.255.0 10.30.12.1 1

route inside 10.30.13.0 255.255.255.0 10.30.13.1 1

route inside 10.30.111.0 255.255.255.0 10.30.111.1 1

route inside 10.30.112.0 255.255.255.0 10.30.112.1 1

route inside 10.30.113.0 255.255.255.0 10.30.113.1 1

route inside 10.30.99.0 255.255.255.0 10.30.99.1 1

route inside 10.30.100.0 255.255.255.0 10.30.100.1 1

route inside 10.30.200.0 255.255.255.0 10.30.200.1 1

route inside 10.30.210.0 255.255.255.0 10.30.210.1 1

route inside 10.30.220.0 255.255.255.0 10.30.220.1 1

route outside 0.0.0.0 0.0.0.0 170.25.1.2 1

!

access-list IN-BASIC-PERMIT extended permit icmp any any echo-reply

!

!

access-group IN-BASIC-PERMIT in interface outside

object network INTERNAL-NETWORK

nat (inside,outside) dynamic interface

object network TEST

nat (inside,outside) dynamic interface

!

aaa authentication ssh console LOCAL

!

!

username admin password 4IncP7vTjpaba2aF encrypted

!

!

!

!

telnet timeout 5

ssh 10.30.0.0 255.255.0.0 inside

ssh 10.30.12.0 255.255.255.0 inside

ssh timeout 10

!

dhcpd auto_config outside

!

!

!

!

!

!

SWA-ASA-1#

Hi;

The issue which I found in firewall is due to configure route. Take a example

route inside 10.30.11.0 255.255.255.0 10.30.11.1 1 (10.30.11.1 is the wrong gateway configure on firewall)

It should be - route inside 10.30.11.0 255.255.255.0 10.1.1.X (where X is the IP address of the device which have the routes of 10.30.X.X network. 

Please remove all the route 10.30.X.X network and re-add the route with proper gateway 10.1.1.X.

Thanks & Best regards;

Hi Ahmed,

I have amended the routes as suggested.

I still however can't get an outbound ping to follow the NAT rule.

On a trace it states that it does not match any NAT rules and just passes the packet with the private IP address.

I have even just tried applying NAT to the single host that is generating the ICMP request and it still doesn't work.

Thanks

Matt

Hi Matt;

Can you share the output of packet tracer?

packet-tracer input inside tcp 10.30.11.X 80 8.8.8.8 80

Thanks & Best regards;

Hi Ahmed,

Unfortunately I am simulating this setup in Cisco Packet Tracer which doesn't have that command available.

Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: