Bidirectional NAT works, but.....

Unanswered Question
Jun 16th, 2009

with my last post, I got bidirectional nat to work from outside -> inside. Config below:


global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside


Now, the problem is getting NAT to work from inside -> outside. This is the error message:


%ASA-3-305005: No translation group found for icmp src inside:10.153.13.18 dst....



So when I config the following everything breaks: (meaning NAT in any direction stops working)


global (outside) 1 interface

nat (inside) 1 10.153.0.0 255.255.0.0


nat-control is disabled.


thanks in advance!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 06/16/2009 - 02:06

Alex


global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside


this not bi-directional NAT. What it does is translate any incoming 10.148.12.x address on the outside to 10.153.99.1 on the inside


Regardless, i'm not sure why your'e other nat is not working.


Try


1) removing both NAT statements. Then apply


nat (inside) 1 10.153.0.0 255.255.0.0

global (outside) 1 interface


and then


global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside


Don't forget to do a clear xlate when you make NAT changes.


Also your ping, what device are you pinging and is it located on the outside of the ASA ?


Jon


Jon

opers13 Tue, 06/16/2009 - 02:17

Hi Jon, below is from cisco.com


"outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT."


anyway, you think by applying the statements in different order could be the issue? I'm trying to ping a device on the outside.


I will give it a try..thanks!





opers13 Mon, 06/22/2009 - 10:52

Jon,


got this to work with the following:


Enabled same-security level:


same-security-traffic permit inter-interface


Changed security-level from 0 to 100


interface Ethernet0/2

speed 100

duplex full

nameif test

security-level 100

ip address 10.153.0.205 255.255.255.252



Added NAT 0:


nat (test) 0 access-list nonat


access-list nonat extended permit ip any any





Actions

This Discussion