06-09-2010 11:05 PM - edited 03-11-2019 10:57 AM
Hi,
I have problem to create static NAT between public IP address range (ie. 222.222.222.2 - 222.222.222.6) and private IP address range (192.168.101.2 - 192.168.101.6). When I try to ping the PC (192.168.101.2) in my private network from the public network (ping 222.222.222.2) or vice versa nothing happend. The "debug nat" command shows the following error message: nat: untranslation - outside0:222.222.222.2/0 to inside0/3:192.168.101.2/0.
Here is my configuration:
ASA Version 8.3(1)
!
hostname Firewall
enable password ZcWMFYW8y4cSHoCz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside0
security-level 100
ip address 222.222.222.221 255.255.255.192 (ip address is an example address)
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside0/3
security-level 100
no ip address
!
interface Ethernet0/3.10
description VLAN 10
vlan 10
nameif inside_netwok1
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa831-k8.bin
ftp mode passive
object network MAPPED_INSIDE
range 192.168.101.2 192.168.101.6
object network MAPPED_OUTSIDE
range 222.222.222.2 222.222.222.6
access-list Traffic_in extended permit ip any 222 222.222.2.255.255.255.248
access-list Traffic_in extended permit ip any 192.168.101.0 255.255.255.0
pager lines 24
mtu inside_netwok1 1500
mtu outside0 1500
mtu inside0/3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network MAPPED_INSIDE
nat (inside0/3,outside0) static MAPPED_OUTSIDE
object network MAPPED_JULKINEN
nat (outside0,inside0/3) static MAPPED_INSIDE
access-group Traffic_in in interface outside0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username jklp password q0MTHZ/Tiy/UXjqC encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:87409b9bc0a2eedf2f98857d07991d71
: end
Thanks,
Tuomas
Solved! Go to Solution.
06-10-2010 11:25 AM
Your config is right, there is something else that is happening.
Try packet tracer
packet-tracer input outside icmp host
And see what the ASA will do with the packet.
Also use
capture capin interface inside0/3 match icmp host
capture capout interface outside match icmp host
sh cap capin
show cap capout
to capture packets and see if they are sent.
I hope it helps.
PK
06-10-2010 05:23 AM
Please remove the following lines as there is no need for them:
access-list Traffic_in extended permit ip any 222 222.222.2.255.255.255.248
object network MAPPED_JULKINEN
nat (outside0,inside0/3) static MAPPED_INSIDE
(actually removing the network object should also remove the nat statement)
Once you have done this, you may have to do "clear local-host" , "clear xlate" .
Then try again.
06-10-2010 06:03 AM
Thank you for the answer! Unfornately it did not help me. I removed unnecessary lines from my configurartion but the NAT not works. Below is my current configuration:
: Saved
:
ASA Version 8.3(1)
!
hostname Jyvas-P
enable password ZcWMFYW8y4cSHoCz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside0
security-level 100
ip address 222.222.222.194 255.255.255.192 (ip address is an example address)
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside0/3
security-level 100
no ip address
!
interface Ethernet0/3.10
description TAC-yhteydet
vlan 10
nameif TAC-verkko
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa831-k8.bin
ftp mode passive
object network MAPPED_INSIDE
range 192.168.101.2 192.168.101.6
object network MAPPED_OUTSIDE
range 222.222.222.222 222.222.222.226
access-list Traffic_in extended permit ip any 192.168.101.0 255.255.255.0
pager lines 24
mtu outside0 1500
mtu inside0/3 1500
mtu TAC-verkko 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network MAPPED_INSIDE
nat (inside0/3,outside0) static MAPPED_OUTSIDE
access-group Traffic_in in interface outside0
route outside0 0.0.0.0 0.0.0.0 222.222.222.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username jklp password q0MTHZ/Tiy/UXjqC encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d9d41b39442c2e7c793ca4f7e724e1a
: end
Thanks,
-Tuomas
06-10-2010 11:25 AM
Your config is right, there is something else that is happening.
Try packet tracer
packet-tracer input outside icmp host
And see what the ASA will do with the packet.
Also use
capture capin interface inside0/3 match icmp host
capture capout interface outside match icmp host
sh cap capin
show cap capout
to capture packets and see if they are sent.
I hope it helps.
PK
06-10-2010 10:39 PM
Hi,
Thanks for your help! I used the command "packet-tracer input outside icmp host
There was also another mistake in command " nat (inside0/3,outside0) static MAPPED_OUTSIDE" because I use subinterface "TAC-verkko". So the right command is " nat (TAC-verkko,outside0) static MAPPED_OUTSIDE.
- Tuomas
06-11-2010 06:00 AM
That is good news!
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide