ASA 5505 - NAT inside to outside not working

matthew.norman · ‎08-19-2016

Hello all,

I have configured the following for any traffic going from inside the ASA to the outside:

object network INTERNAL-NETWORK

subnet 10.30.0.0 255.255.0.0

object network INTERNAL-NETWORK

nat (inside,outside) dynamic interface

For some reason it does not appear to work. If I ping from host 10.30.11.4 it doesn't apply any NAT rules and just carries on with the private address.

Am I missing any configuration?

Appreciate any help.

Matt

ahmedshoaib · ‎08-19-2016

Hi;

There is no issue with reference to Nat configuration, the issue might be routing issue, firewall policy or interface configuration.

Can you share the firewall configuration if its possible?

Thanks & Best regards;

matthew.norman · ‎08-19-2016

Hello Ahmed,

Here is ASA config:

hostname xxxx

domain-name test

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.2 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

ip address 170.25.1.1 255.255.255.252

!

object network INTERNAL-NETWORK

subnet 10.30.0.0 255.255.0.0

description "Internal network"

object network TEST

host 10.30.11.4

!

route inside 10.30.11.0 255.255.255.0 10.30.11.1 1

route inside 10.30.12.0 255.255.255.0 10.30.12.1 1

route inside 10.30.13.0 255.255.255.0 10.30.13.1 1

route inside 10.30.111.0 255.255.255.0 10.30.111.1 1

route inside 10.30.112.0 255.255.255.0 10.30.112.1 1

route inside 10.30.113.0 255.255.255.0 10.30.113.1 1

route inside 10.30.99.0 255.255.255.0 10.30.99.1 1

route inside 10.30.100.0 255.255.255.0 10.30.100.1 1

route inside 10.30.200.0 255.255.255.0 10.30.200.1 1

route inside 10.30.210.0 255.255.255.0 10.30.210.1 1

route inside 10.30.220.0 255.255.255.0 10.30.220.1 1

route outside 0.0.0.0 0.0.0.0 170.25.1.2 1

!

access-list IN-BASIC-PERMIT extended permit icmp any any echo-reply

!

access-group IN-BASIC-PERMIT in interface outside

object network INTERNAL-NETWORK

nat (inside,outside) dynamic interface

object network TEST

nat (inside,outside) dynamic interface

!

aaa authentication ssh console LOCAL

!

username admin password 4IncP7vTjpaba2aF encrypted

!

telnet timeout 5

ssh 10.30.0.0 255.255.0.0 inside

ssh 10.30.12.0 255.255.255.0 inside

ssh timeout 10

!

dhcpd auto_config outside

!

SWA-ASA-1#

ahmedshoaib · ‎08-19-2016

Hi;

The issue which I found in firewall is due to configure route. Take a example

route inside 10.30.11.0 255.255.255.0 10.30.11.1 1 (10.30.11.1 is the wrong gateway configure on firewall)

It should be - route inside 10.30.11.0 255.255.255.0 10.1.1.X (where X is the IP address of the device which have the routes of 10.30.X.X network.

Please remove all the route 10.30.X.X network and re-add the route with proper gateway 10.1.1.X.

Thanks & Best regards;

matthew.norman · ‎08-20-2016

Hi Ahmed,

I have amended the routes as suggested.

I still however can't get an outbound ping to follow the NAT rule.

On a trace it states that it does not match any NAT rules and just passes the packet with the private IP address.

I have even just tried applying NAT to the single host that is generating the ICMP request and it still doesn't work.

Thanks

Matt

ahmedshoaib · ‎08-20-2016

Hi Matt;

Can you share the output of packet tracer?

packet-tracer input inside tcp 10.30.11.X 80 8.8.8.8 80

Thanks & Best regards;

matthew.norman · ‎08-20-2016

Hi Ahmed,

Unfortunately I am simulating this setup in Cisco Packet Tracer which doesn't have that command available.

Matt