Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
4
Replies

NAT and 7.1(2)

rush2amol
Level 1
Level 1

‎10-20-2008 02:29 AM

I am trying to make translation from inside to outside on a ASA 5520 box with 7.1 (2) context based software

Trust me, the findings are really weird

Translation happens because the connectivity gets through and the other end as well is able to view the translated IP address for all the three type of configurations

Static

Dynamic and

policy based using acl

The issue is in the show local command output; the inside and outside IP addresses and not displayed. It works when nat (inside) id <host> is configured; but does not happen for static NAT and policy based NAT

Global (outside) 10 1.1.1.1 netmask 255.255.255.255

Nat (inside) 10 10.10.10.10 255.255.255.255

Show local 10.10.10.10

Xlate:

PAT Global 1.1.1.1(1024) Local 10.10.10.10(3955)

Conn:

TCP out 11.11.11.11:443 in 10.10.10.10:3956 idle 0:00:22 bytes 8827 flags UIO

-----------------

Static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255

Show local 10.10.10.10

Conn:

TCP out 11.11.11.11:443 in 10.10.10.10:3956 idle 0:00:22 bytes 8827 flags UIO

------------------

Nat (inside) 10 access-list test

Access-list test permit ip host 10.10.10.10 host 11.11.11.11

Show local 10.10.10.10

Conn:

TCP out 11.11.11.11:443 in 10.10.10.10:3956 idle 0:00:22 bytes 8827 flags UIO

Can anyone let me know why I am not able to view the translation happening for static NAT or policy based NAT. In coming future this would get very difficult to troubleshoot on identifying where the problem is, so pl. suggest.

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎10-20-2008 06:46 AM

did you clear xlate table?

actually try clearing that particular local host.

e.i

asa#clear local-host

then initiate outbound traffic from that host and do "show local-host" again to see its actual static NAT translation.

see if that makes any difference.

Rgds

Jorge

Jorge Rodriguez
0 Helpful

rush2amol
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎10-20-2008 08:40 AM

Yes i have clear the translation table but still cannot view the output of the show local command.

0 Helpful

singhsaju
Level 4
Level 4

‎10-20-2008 06:47 AM

You are using same global ip address 1.1.1.1 for static NAT , Policy NAT and dynamic NAT.

Try using different Global ip addresses for each of the translations.Then it will show the output.

HTH

Saju

Pls rate helpful posts

0 Helpful

rush2amol
Level 1
Level 1
In response to singhsaju

‎10-20-2008 08:43 AM

No, i do not use same global IP address simultaneously. its like first i only make a static nat, then remove static NAT and configure policy based NAT.

But when i configure PAT like nat (inside) , i am able to see the output in the show local command.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents