ASA 5520 NAT Failing

Unanswered Question
Apr 1st, 2009

Reposting in a new thread since the old one seems to have died...

I'm migrating from a PIX 515 to an ASA 5520. The config was created using the PIX to ASA migration tool. The ASDM Packet Tracer shows outbound traffic failing due to NAT.


nat (inside) 1

match ip inside any outside any

dynamic translation to pool 1 (

translate_hits = 971, untranslate_hits = 74

The old PIX config:

global (outside) 1

nat (inside) 1 0 0

The new ASA config:

global (outside) 1 netmask

nat (inside) 1

Any thoughts on why it might be failing?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
John Blakley Wed, 04/01/2009 - 10:10

Try taking the netmask off of the global config. If your outside address is the one that you want to nat to, you can just put interface:

global (outside) 1 interface

nat (inside) 1 0 0



rcoote5902_2 Wed, 04/01/2009 - 10:48

Removed the netmask, same issue. The interface IP is not the same as the outside address so I can't use the interface.

Screenshot attached - port 80 trace to google's IP.

John Blakley Wed, 04/01/2009 - 10:52

In your screenshot it says that "flow is denied by configured rule." Do you have any acls on the inside interface?

thotsaphon Wed, 04/01/2009 - 11:11


what about this?


no global (outside) 1 netmask

global (outside) 1 netmask


thotsaphon Wed, 04/01/2009 - 12:05


Please provide us with the configuration on the ASA.


rcoote5902_2 Wed, 04/01/2009 - 11:17

No - no ACL on the inside interface, just the 2 implicit rules that are there by default - permit all traffic to a less secure interface (in this case inside is 100 by default and outside is 0 so all traffic should pass) and the implicit deny any any.

Jon Marshall Wed, 04/01/2009 - 12:05


Not familiar with ASDM but -

1) Can you try to access Internet from internal client

2) If you have tied this what is result ?

3) Do you have correct routing setup ?

Perhaps you could post config with description of IP addresses ie. src/destination etc..


rcoote5902_2 Wed, 04/01/2009 - 12:38


1) No internet access, page cannot be displayed. Can't ping from a client either.

3) Yes. All physical and logical connections are the same. I've even spoofed the MAC addresses of the PIX on the ASA interfaces.

When monitoring the ASA, there's plenty of traffic coming IN, so the ACL I have on that interface seems to be working. However there is absolutely zero traffic going out the outside interface.

I'm about ready to ship this thing back to Cisco.

Posting a config.

thotsaphon Wed, 04/01/2009 - 12:46


I just want to know where the default route is. (Go fix it)

"I'm about ready to ship this thing back to Cisco. " Guys , Don't give up.(grin)



Jon Marshall Wed, 04/01/2009 - 13:06


You don't have a default route so the ASA doesn't know where to send packets. So you need to add

route (outside)

where next-hop IP is the ISP router address. It will be out of the subnet.


rcoote5902_2 Wed, 04/01/2009 - 13:49


Sorry in my haste (and frustration) I posted an incomplete config. The default route (and some other static routes) are there. I'm uploading the correct output.

I'm actually getting a "Network Timeout" when trying to browse from a client machine. Traffic looks like it's leaving but maybe not coming back?

With the PIX in place I can ping that default route - - however with the ASA in place I cannot - although I suspect that might just be ICMP traffic being denied.

Jon Marshall Wed, 04/01/2009 - 13:54


No problem. Can you specify the source IP address you are pinging from and the destination IP address you are pinging to ?



rcoote5902_2 Wed, 04/01/2009 - 13:56


I was pinging from to (the default route).

Also tried pinging google - - same source IP.

Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)

Jon Marshall Wed, 04/01/2009 - 14:07

"Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)"

Is that a movie ? - never seen it but don't despair. is part of the management vlan. What happens if you ping from an internal IP address that is not part of the management vlan. Is this possible ?


rcoote5902_2 Wed, 04/01/2009 - 14:44

Yes it's a movie and I recommend it. :)

Now some good news - I can surf from our remote sites on other subnets. Jon thank you for suggesting that. Some progress!

What do I need to change to allow ?

Jon Marshall Wed, 04/01/2009 - 15:00


"What do I need to change to allow ?"

Not sure to be honest. Is there a reason why you want the management vlan to be able to access the Internet as the management vlan is primarily for managing the ASA device not providing access ?

Office Space - okay if i can find it i'll have a look but it had better be good :-)


rcoote5902_2 Wed, 04/01/2009 - 15:10

It's not actually the management vlan it's the subnet of our main office where the device is housed. I was using that to remote configure the device.

Ultimately I need to change the ip/subnet/vlan of the management interface.

Jon Marshall Wed, 04/01/2009 - 15:36


I suspect the issues you are experiencing are to do with the fact you are using the management interface.

It's times like these i wish i had an ASA device to play with :-)


rcoote5902_2 Thu, 04/02/2009 - 08:22


Well, I removed all references to that management interface - shut it right down and unplugged it.

I remain able to surf at our remote sites, but not here at the central office.



This Discussion