08-19-2016 09:51 AM - edited 03-08-2019 07:04 AM
Hello all,
I have configured the following for any traffic going from inside the ASA to the outside:
object network INTERNAL-NETWORK
subnet 10.30.0.0 255.255.0.0
object network INTERNAL-NETWORK
nat (inside,outside) dynamic interface
For some reason it does not appear to work. If I ping from host 10.30.11.4 it doesn't apply any NAT rules and just carries on with the private address.
Am I missing any configuration?
Appreciate any help.
Matt
08-19-2016 11:29 AM
Hi;
There is no issue with reference to Nat configuration, the issue might be routing issue, firewall policy or interface configuration.
Can you share the firewall configuration if its possible?
Thanks & Best regards;
08-19-2016 11:58 AM
Hello Ahmed,
Here is ASA config:
hostname xxxx
domain-name test
enable password 4IncP7vTjpaba2aF encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 170.25.1.1 255.255.255.252
!
object network INTERNAL-NETWORK
subnet 10.30.0.0 255.255.0.0
description "Internal network"
object network TEST
host 10.30.11.4
!
route inside 10.30.11.0 255.255.255.0 10.30.11.1 1
route inside 10.30.12.0 255.255.255.0 10.30.12.1 1
route inside 10.30.13.0 255.255.255.0 10.30.13.1 1
route inside 10.30.111.0 255.255.255.0 10.30.111.1 1
route inside 10.30.112.0 255.255.255.0 10.30.112.1 1
route inside 10.30.113.0 255.255.255.0 10.30.113.1 1
route inside 10.30.99.0 255.255.255.0 10.30.99.1 1
route inside 10.30.100.0 255.255.255.0 10.30.100.1 1
route inside 10.30.200.0 255.255.255.0 10.30.200.1 1
route inside 10.30.210.0 255.255.255.0 10.30.210.1 1
route inside 10.30.220.0 255.255.255.0 10.30.220.1 1
route outside 0.0.0.0 0.0.0.0 170.25.1.2 1
!
access-list IN-BASIC-PERMIT extended permit icmp any any echo-reply
!
!
access-group IN-BASIC-PERMIT in interface outside
object network INTERNAL-NETWORK
nat (inside,outside) dynamic interface
object network TEST
nat (inside,outside) dynamic interface
!
aaa authentication ssh console LOCAL
!
!
username admin password 4IncP7vTjpaba2aF encrypted
!
!
!
!
telnet timeout 5
ssh 10.30.0.0 255.255.0.0 inside
ssh 10.30.12.0 255.255.255.0 inside
ssh timeout 10
!
dhcpd auto_config outside
!
!
!
!
!
!
SWA-ASA-1#
08-19-2016 12:06 PM
Hi;
The issue which I found in firewall is due to configure route. Take a example
route inside 10.30.11.0 255.255.255.0 10.30.11.1 1 (10.30.11.1 is the wrong gateway configure on firewall)
It should be - route inside 10.30.11.0 255.255.255.0 10.1.1.X (where X is the IP address of the device which have the routes of 10.30.X.X network.
Please remove all the route 10.30.X.X network and re-add the route with proper gateway 10.1.1.X.
Thanks & Best regards;
08-20-2016 01:13 AM
Hi Ahmed,
I have amended the routes as suggested.
I still however can't get an outbound ping to follow the NAT rule.
On a trace it states that it does not match any NAT rules and just passes the packet with the private IP address.
I have even just tried applying NAT to the single host that is generating the ICMP request and it still doesn't work.
Thanks
Matt
08-20-2016 03:53 AM
Hi Matt;
Can you share the output of packet tracer?
packet-tracer input inside tcp 10.30.11.X 80 8.8.8.8 80
Thanks & Best regards;
08-20-2016 05:51 AM
Hi Ahmed,
Unfortunately I am simulating this setup in Cisco Packet Tracer which doesn't have that command available.
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: