Solved: Setting up NAT on an ASA 5520

Stephen Carville · ‎08-07-2015

I am trying to get outgoing NAT working on an ASA 5520 with little success

Test Host address: 10.200.100.36

Destniation IP: 216.34.181.96

NAT rules:

# show running-config global
global (outside) 101 interface

# show running-config nat
nat (outside) 0 access-list inside_nat0_inbound
nat (outside) 101 10.213.204.0 255.255.255.0
nat (outside) 101 10.200.96.0 255.255.248.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0

# show running-config access-list inside_nat0_inbound
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 object-group HqSubnetsShort
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 10.213.3.0 255.255.255.0
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 object-group DALLAS
access-list inside_nat0_inbound extended permit ip 10.213.204.0 255.255.255.0 10.213.204.0 255.255.255.0

When I try testing, traceroute (mtr) only goes as far as the router

HOST: sazkerb01.lereta.net        Loss%   Snt   Last   Avg Best Wrst StDev
1. 10.200.100.1                  0.0%    10    2.4   2.3   2.1   2.4   0.1
2. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0

Packet capture shows requests entering the inside interface but nothing leaving the outside interface.

The packet tracer tells me a NAT rule is dropping the packets.

Type - NAT Action - DROP

Config
nat (inside) 101 10.200.96.0 255.255.248.0
match ip inside 10.200.96.0 255.255.248.0 outside any
dynamic translation to pool 101 (8.29.20.18 [Interface PAT])
translate_hits = 3478, untranslate_hits = 5695

The only rules on the inside interface right now are the defaults

1 any Any less secure networks ip Permit Default [Implicit rule: Permit all traffic to less secure networks]
2 any any ip Deny Default [Implicit rule]

Jon Marshall · ‎08-07-2015

I think they tell the ASA to NAT 10.213.204.0/24 and 10.200.96.0/21 using the address in the global statement.

No they don't because there is no matching global statement ie. you would need a global statement on another interface, not the outside interface so they did need removing.

You should also remove -

nat (outside) 0 access-list inside_nat0_inbound

because NAT exemption is bi-directional and you have it setup for the inside interface.

So remove that and try again.

If the ASA is not in use currently can you clear any existing NAT translations before you try again and then test and also run packet tracer to see what happens.

Jon

View solution in original post

Jon Marshall · ‎08-07-2015

nat (outside) 101 10.213.204.0 255.255.255.0
nat (outside) 101 10.200.96.0 255.255.248.0

What are the above statements meant to be doing ?

Jon

Stephen Carville · ‎08-07-2015

I think they tell the ASA to NAT 10.213.204.0/24 and 10.200.96.0/21 using the address in the global statement.

I've since changed the configuration:

# show running-config nat
nat (outside) 0 access-list inside_nat0_inbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.200.96.0 255.255.248.0
nat (inside) 101 0.0.0.0 0.0.0.0

With the same results.

AFAIK the "nat (inside) 101 0.0.0.0 0.0.0.0" should take care of it but it doesn't so I must be overlooking something.

Jon Marshall · ‎08-07-2015