08-07-2015 12:13 PM - edited 03-11-2019 11:23 PM
I am trying to get outgoing NAT working on an ASA 5520 with little success
Test Host address: 10.200.100.36
Destniation IP: 216.34.181.96
NAT rules:
# show running-config global
global (outside) 101 interface
# show running-config nat
nat (outside) 0 access-list inside_nat0_inbound
nat (outside) 101 10.213.204.0 255.255.255.0
nat (outside) 101 10.200.96.0 255.255.248.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
# show running-config access-list inside_nat0_inbound
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 object-group HqSubnetsShort
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 10.213.3.0 255.255.255.0
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 object-group DALLAS
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 10.213.204.0 255.255.255.0
When I try testing, traceroute (mtr) only goes as far as the router
HOST: sazkerb01.lereta.net Loss% Snt Last Avg Best Wrst StDev
1. 10.200.100.1 0.0% 10 2.4 2.3 2.1 2.4 0.1
2. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
Packet capture shows requests entering the inside interface but nothing leaving the outside interface.
The packet tracer tells me a NAT rule is dropping the packets.
Type - NAT Action - DROP
Config
nat (inside) 101 10.200.96.0 255.255.248.0
match ip inside 10.200.96.0 255.255.248.0 outside any
dynamic translation to pool 101 (8.29.20.18 [Interface PAT])
translate_hits = 3478, untranslate_hits = 5695
The only rules on the inside interface right now are the defaults
1 any Any less secure networks ip Permit Default [Implicit rule: Permit all traffic to less secure networks]
2 any any ip Deny Default [Implicit rule]
Solved! Go to Solution.
08-07-2015 01:15 PM
I think they tell the ASA to NAT 10.213.204.0/24 and 10.200.96.0/21 using the address in the global statement.
No they don't because there is no matching global statement ie. you would need a global statement on another interface, not the outside interface so they did need removing.
You should also remove -
nat (outside) 0 access-list inside_nat0_inbound
because NAT exemption is bi-directional and you have it setup for the inside interface.
So remove that and try again.
If the ASA is not in use currently can you clear any existing NAT translations before you try again and then test and also run packet tracer to see what happens.
Jon
08-07-2015 12:43 PM
nat (outside) 101 10.213.204.0 255.255.255.0
nat (outside) 101 10.200.96.0 255.255.248.0
What are the above statements meant to be doing ?
Jon
08-07-2015 01:08 PM
I think they tell the ASA to NAT 10.213.204.0/24 and 10.200.96.0/21 using the address in the global statement.
I've since changed the configuration:
# show running-config nat
nat (outside) 0 access-list inside_nat0_inbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.200.96.0 255.255.248.0
nat (inside) 101 0.0.0.0 0.0.0.0
With the same results.
AFAIK the "nat (inside) 101 0.0.0.0 0.0.0.0" should take care of it but it doesn't so I must be overlooking something.
08-07-2015 01:15 PM
I think they tell the ASA to NAT 10.213.204.0/24 and 10.200.96.0/21 using the address in the global statement.
No they don't because there is no matching global statement ie. you would need a global statement on another interface, not the outside interface so they did need removing.
You should also remove -
nat (outside) 0 access-list inside_nat0_inbound
because NAT exemption is bi-directional and you have it setup for the inside interface.
So remove that and try again.
If the ASA is not in use currently can you clear any existing NAT translations before you try again and then test and also run packet tracer to see what happens.
Jon
08-07-2015 02:02 PM
OK, that worked. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide