02-20-2008 02:43 PM - edited 03-03-2019 08:47 PM
Hi All,
I am trying to configure my second interface to reach outside world on my ASA device.
From machines i could able to ping the seconf interface on the ASA and vice versa. But the machines are not able to reach outside world. I dout my NAT configs and ACL.
Attached my running config of ASA device
Any Help on this would be of great help
thanks inadvance
sudar
02-20-2008 02:59 PM
Hi All ,
Forgot to mention that 172.16.0.0 cant able to get outside world ..through the interface fg-idsys..(second interface on ASA)
02-20-2008 06:30 PM
hi sudar
I note this:
global (fg-idsys) 1 interface
interface Ethernet0/3
nameif fg-idsys
security-level 70
ip address 192.168.70.254 255.255.255.0
do you want to use a private address as a source address to access outside?
regard
dongdong
02-20-2008 07:46 PM
Hi Dongdong,
Thanks for your reply..
actually i want to get outside using my outside interface...
means that the end systems has to come to fg-idsys (interface ethernet0/3) and then it has to go to outside interface to reach Internet.
interface Ethernet0/0
nameif outside
security-level 0
ip address 63.146.69.170 255.255.255.248
...thanks a lot looking forward
02-20-2008 09:02 PM
hi sudar
i know what you mean,but could not find any configuration that fg-idsys(private address) is related with outside(public address).
please use "show xlate" to see which address is NATed when the internal machine want to access internet.
regard
dongdong
02-20-2008 09:27 PM
thanks again...
i will try and let you know about it ...
02-21-2008 11:15 AM
Here is my nat output for that interface
But still i couldn't able to see it on the xlate output for this ip address 172.16.1.0 255.255.255.0
Fugen-FW# sh nat fg-idsys
==========================
match ip fg-idsys network161 255.255.255.0 outside any
dynamic translation to pool 1 (63.XXX.XX.XXX [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip fg-idsys network161 255.255.255.0 fg-idsys any
dynamic translation to pool 1 (192.168.70.254 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip fg-idsys any outside any
no translation group, implicit deny
policy_hits = 0
Fugen-FW# sh xlate
21 in use, 205 most used
Global 63.146.XX.XXX Local 192.168.49.10
Global 63.146.XX.XXX Local 192.168.49.13
PAT Global 63.146.XX.XXX(273) Local 172.31.0.101(123)
PAT Global 63.146.XX.XXX(392) Local 172.31.0.150(123)
PAT Global 63.146.XX.XXX(32253) Local 192.168.48.139(1026)
PAT Global 63.146.XX.XXX(32208) Local 192.168.48.139(56162)
PAT Global 63.146.XX.XXX(13928) Local 192.168.48.139(4304)
PAT Global 63.146.XX.XXX(14126) Local 192.168.48.140(3211)
PAT Global 63.146.XX.XXX(14125) Local 192.168.48.140(3210)
PAT Global 63.146.XX.XXX(14124) Local 192.168.48.140(3209)
PAT Global 63.146.XX.XXX(14123) Local 192.168.48.140(3208)
PAT Global 63.146.XX.XXX(14122) Local 192.168.48.140(3207)
PAT Global 63.146.XX.XXX(14121) Local 192.168.48.140(3206)
PAT Global 63.146.XX.XXX(13994) Local 192.168.48.140(3160)
PAT Global 63.146.XX.XXX(13739) Local 192.168.48.140(2911)
PAT Global 63.146.XX.XXX(32187) Local 192.168.48.140(13258)
PAT Global 63.146.XX.XXX(13700) Local 192.168.48.140(2878)
PAT Global 63.146.XX.XXX(272) Local 192.168.48.1(137)
PAT Global 63.146.XX.XXX(14154) Local 192.168.48.147(61053)
PAT Global 63.146.XX.XXX(14153) Local 192.168.48.147(61052)
PAT Global 63.146.XX.XXX(18721) Local 192.168.48.103(10000)
what could be the reason ...is anything else iam missing in NAT config....
02-21-2008 11:35 AM
Hi ,
i am also getting an error in the ASDM log
No translation group found for icmp src fugen-dmz:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)
And also what is the impact on these interface in regards to the security level
02-21-2008 06:30 PM
hi sudar
No translation group found for icmp src fugen-dmz:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)
it seems like ASA consider 172.16.1.0 come from fugen-dmz interface, if you show nat fugen-dmz maybe will find some info.
whether 172.16.1.0 come from fg-idsys "nat (fg-idsys) 1 network161 255.255.255.0"
or come from fugen-dmz "nat (fugen-dmz) 1 172.16.0.0 255.255.0.0"
interface fugen-dmz and fg-idsys both have private address and do not related with outside.i mean, remove global (fugen-dmz) 1 interface and global (fg-idsys) 1 interface then try again
regard
dongdong
02-21-2008 07:28 PM
Hi,
172.16.1.0 named as network161 and it comes from fg-idsys. And this fg-idsys have more security level than the fugen-dmz.
when i decrease the security level of fg-idsys less than the fugen-dmz , the error changes to fg-idsys.
No translation group found for icmp src fg-idsys:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)
but from interface fugen-dmz the machines can go putside world. i replicated the same config to fg-idsys.
soon i will post the nat of fugen-dmz
02-22-2008 09:54 AM
Hi ,
Here is my nat output of fugen-dmz interface
Fugen-FW# sh nat fugen-dmz
===========================
match ip fugen-dmz 192.168.49.0 255.255.255.0 outside 192.168.50.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz 172.31.0.0 255.255.255.0 outside 192.168.50.0 255.255.255.0
NAT exempt
translate_hits = 11, untranslate_hits = 1277
match ip fugen-dmz any outside 10.100.100.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz 192.168.49.0 255.255.255.0 fugen-dmz 192.168.50.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz 172.31.0.0 255.255.255.0 fugen-dmz 192.168.50.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz any fugen-dmz 10.100.100.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz host 192.168.49.10 outside any
static translation to 63.XXX.XX.XXX
translate_hits = 478, untranslate_hits = 4044
match ip fugen-dmz host 192.168.49.13 outside any
static translation to 63.XXX.XX.XXX
translate_hits = 724, untranslate_hits = 4894
match ip fugen-dmz host 200.198.184.106 fugen-dmz any
alias translation to 192.168.101.155
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz 192.168.49.0 255.255.255.0 outside any
dynamic translation to pool 1 (63.XXX.XX.XXX[Interface PAT])
translate_hits = 242, untranslate_hits = 4
match ip fugen-dmz 192.168.49.0 255.255.255.0 fugen-dmz any
dynamic translation to pool 1 (192.168.254.254 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz 172.31.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (63.XXX.XX.XXX[Interface PAT])
translate_hits = 2098, untranslate_hits = 92
match ip fugen-dmz 172.31.0.0 255.255.0.0 fugen-dmz any
dynamic translation to pool 1 (192.168.254.254 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip fugen-dmz any outside any
no translation group, implicit deny
policy_hits = 82234
02-25-2008 11:54 AM
Hi All ,
I am stuck with this for a long time ...
Net pro's please give your valuable suggestions in this NAT problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide