Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8460
Views
0
Helpful
4
Replies

Fun with NAT on ASA

spollock
Level 1
Level 1

‎01-23-2010 10:23 AM - edited ‎03-11-2019 10:00 AM

If  a host on 192.168.1.x, the inside interface tries to ping a host on 192.168.10.x (a network behind a router which is connected 6.1)

The ASA returns:

Jan 23 2010 10:17:58: %ASA-3-305006: portmap translation creation failed for icmp src inside:192.168.1.3 dst inside:192.168.10.22 (type 8, code 0)

and the ping fails.

If you try to ping directly from the ASA you get a similar result:

#ping 192.168.10.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.22, timeout is 2 seconds:
Jan 23 2010 10:20:35: %ASA-4-313004: Denied ICMP type=0, from laddr 192.168.1.6 on interface inside to 192.168.1.1: no matching session

Seems to me this should work right out of the box, suggestions?

<config snip>

name 192.168.10.0 Cowacella description named after thomas J's Monticello with a cow twist

access-list inside_access_in_1 extended permit ip any any

nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in_1 in interface inside
route inside Cowacella 255.255.255.0 192.168.1.6 1

Labels:
0 Helpful
4 Replies 4

spollock
Level 1
Level 1

‎01-23-2010 10:25 AM

I failed to mention, I have "same-security-traffic permit intra-interface" enabled as well.

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee

‎01-23-2010 09:06 PM

Hello,

You are running into assymetric routing scenario over here.

Either you can set the default gateway of hosts on all subnets to be the 6.1 (router) & have its default gateway set to the ASA inside ifc OR if you real,ly wanna keep the ASA as everybody's default gateway, then you can use the tcp-state-bypass feature introduced in 8.2 release of code for ASA, so that assymetric situation here can be handled correctly by ASA.

Check it out at the release notes :

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

HTH

Vijaya

0 Helpful

svaish
Level 1
Level 1

‎01-24-2010 07:22 AM

It is really simple my firend,

all you need to do is to put a static command

static (inside,inside) 192.168.1.x 192.168.1.x

have a look on the attached file to understand the scenario in a better way..........:)

Regards,

Sachin Vaish

60298-same-security-level permit intra-interface.rar.zip
0 Helpful

vilaxmi
Cisco Employee
Cisco Employee
In response to svaish

‎01-24-2010 09:09 AM

Hello,

Making the firewall inside ifc proxy arp for inside hosts using global (inside) 1 ifc statement along with the Identity static translation for destination

command was a workaround we used PRE 8.2 era.. Anyways, I would  suggest the usage of solution  (tcp-state-bypass feature) in the 8.2 + codes.

Thanks,

Vijaya

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card