Bidirectional NAT works, but.....

Unanswered Question
Jun 16th, 2009
User Badges:

with my last post, I got bidirectional nat to work from outside -> inside. Config below:


global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside


Now, the problem is getting NAT to work from inside -> outside. This is the error message:


%ASA-3-305005: No translation group found for icmp src inside:10.153.13.18 dst....



So when I config the following everything breaks: (meaning NAT in any direction stops working)


global (outside) 1 interface

nat (inside) 1 10.153.0.0 255.255.0.0


nat-control is disabled.


thanks in advance!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 06/16/2009 - 02:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Alex


global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside


this not bi-directional NAT. What it does is translate any incoming 10.148.12.x address on the outside to 10.153.99.1 on the inside


Regardless, i'm not sure why your'e other nat is not working.


Try


1) removing both NAT statements. Then apply


nat (inside) 1 10.153.0.0 255.255.0.0

global (outside) 1 interface


and then


global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside


Don't forget to do a clear xlate when you make NAT changes.


Also your ping, what device are you pinging and is it located on the outside of the ASA ?


Jon


Jon

opers13 Tue, 06/16/2009 - 02:17
User Badges:

Hi Jon, below is from cisco.com


"outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT."


anyway, you think by applying the statements in different order could be the issue? I'm trying to ping a device on the outside.


I will give it a try..thanks!





Jon Marshall Tue, 06/16/2009 - 02:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Alex


I stand corrected :-) - +5


Jon

opers13 Mon, 06/22/2009 - 10:52
User Badges:

Jon,


got this to work with the following:


Enabled same-security level:


same-security-traffic permit inter-interface


Changed security-level from 0 to 100


interface Ethernet0/2

speed 100

duplex full

nameif test

security-level 100

ip address 10.153.0.205 255.255.255.252



Added NAT 0:


nat (test) 0 access-list nonat


access-list nonat extended permit ip any any





Actions

This Discussion