06-11-2010 08:19 AM - edited 03-11-2019 10:58 AM
Forum
I was attempting to configure a static NAT statement on a clients firewall which is running code version 8.3.1. I got a message indicating that the old static command had been deprecated, and that the "nat"command needed to be used instead.
What I am trying to do is the following ( in the old format)
Access-list ext PJMNAT permit ip host 192.168.103.59 host 206.223.104.11
Static (inside,WAN) 172.28.6.133 access-list PJMNAT
In other words, I need for traffic to from 192.168.103.59 to be translated to 172.28.6.133 when communicating to 206.223.104.11 on the WAN interface.
Would anyone know how to write this on the ASA running code 8.3.1?
Thanks
Kevin
Solved! Go to Solution.
06-11-2010 09:39 AM
Let's do two things:
Specify the actual address instead of the object-group just to make sure the NAT rule works.
Post a ''sh run object-group PJMServers'' to make sure the configuration exists (so we can configure it using the object-group)
Federico.
06-11-2010 01:11 PM
Please confirm that you're trying to PING 206.223.104.11 from 192.168.103.59
And you want it to NAT to 172.28.6.133
Please do a Packet Tracer test to check which process is failing on the ASA.
Federico.
06-11-2010 08:23 AM
Hi,
In 8.3 the NAT syntax changed completely.
From the migration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Old Configuration
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1
Migrated Configuration
object network obj-10.1.2.27
host 10.1.2.27
object network obj-209.165.202.129
host 209.165.202.129
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10.1.2.27 obj-209.165.202.129 destination static obj-10.76.5.0 obj-10.76.5.0
Federico.
06-11-2010 09:06 AM
Federico
I am having difficulty trying to follow the example you have used.
Can you take my real time data and show how the rule should be written based on that?
Thanks
Kevin
06-11-2010 09:11 AM
object network obj-192.168.103.59
host 192.168.103.59
object network obj-172.28.6.133
host 172.28.6.133
object network obj-206.223.104.11
host 206.223.104.11
nat (inside,WAN) source static obj-192.168.103.59 obj-172.28.6.133 destination static obj-206.223.104.11 obj-206.223.104.11
Federico.
06-11-2010 09:35 AM
Federico
Thanks for the response.
One thing I am trying to do is to use an existing object-group called PJMServers. This object group has several addresses in it (in the 206.223.104.X range).
here is how I am trying to configure the nat statement and the associated error message:
nat (inside,WAN) source static obj-192.168.103.59 obj-172.28.6.133 destination static obj-group PJMServers
ERROR: obj-group doesn't match an existing object or object-group
how do I write in the existing object group insteead of the 1 object?
thx
kevin
06-11-2010 09:39 AM
Let's do two things:
Specify the actual address instead of the object-group just to make sure the NAT rule works.
Post a ''sh run object-group PJMServers'' to make sure the configuration exists (so we can configure it using the object-group)
Federico.
06-11-2010 10:05 AM
I actually did exactly that, but I am still not getting any ICMP replies from the source 206.223.104.13 (not .11 like I thought) as it tries to ping 172.28.6.133 (which is actually our 192.168.103.59 on the inside).
Here is the requested output:
lo-asa# sh run object-group PJMServers
^
ERROR: % Invalid input detected at '^' marker.
lo-asa# sho run object-group PJMServers
^
ERROR: % Invalid input detected at '^' marker.
sh run object-group network
object-group network PJMServers
network-object object PriEMSUCSPair
network-object object PriEMSUCSPair2
network-object object SecEMSUCSPair
network-object object SecEMSUCSPair2
network-object host 206.223.104.20
network-object host 206.223.104.21
network-object host 206.223.104.22
network-object host 206.223.104.23
network-object host 206.223.104.80
network-object host 206.223.105.2
network-object host 206.223.105.3
network-object host 206.223.104.11
network-object host 206.223.104.13
network-object host 206.223.104.15
network-object host 206.223.104.17
06-11-2010 11:10 AM
Federico
I inadvertintly put "answered" as the status of this post. If you can, I would still need your help. I still show the object-group PJMServers as being on the box.
Thanks
Kevin
06-11-2010 01:11 PM
Please confirm that you're trying to PING 206.223.104.11 from 192.168.103.59
And you want it to NAT to 172.28.6.133
Please do a Packet Tracer test to check which process is failing on the ASA.
Federico.
06-14-2010 03:36 AM
In all actuality it should be 206.223.104.13 that it pinging 172.28.6.133. 206.223.104.13 is our business partner. He is trying to ping our 192.168.103.59 box. But he doesnt know the box as 192.168.103.59. He knows the box as 172.28.6.133.
Thanks Federico
Kevin
06-14-2010 11:11 AM
Kevin,
What does a Packet Tracer shows you?
Federico.
06-14-2010 12:53 PM
Federico,
I actually worked through and figured out the NAT statement, but now i have run into another issue that may need of your assistance. I wrote the NAT statement as : [nat (inside,WAN) source static obj-192.168.103.59 obj-172.28.6.133 destination static PJMServers PJMServers] with PJMServers as an object group I have created. With that in place I can now see traffic orgininating from 192.168.103.59 being translated on the WAN interface(from INSIDE to WAN) to 172.28.6.133 in route for the 206.223.104.13 address. The issue I am having now is that the ICMP request I am sending out is getting this response via a capture on the WAN interface of the ASA:
1: 15:46:31.797352 172.28.6.133 > 206.223.104.13: icmp: echo request
2: 15:46:31.813587 206.223.104.13 > 172.28.6.133: icmp: echo reply
3: 15:46:31.814945 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
4: 15:46:37.297668 172.28.6.133 > 206.223.104.13: icmp: echo request
5: 15:46:37.314116 206.223.104.13 > 172.28.6.133: icmp: echo reply
6: 15:46:37.315077 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
7: 15:46:42.797611 172.28.6.133 > 206.223.104.13: icmp: echo request
8: 15:46:42.813724 206.223.104.13 > 172.28.6.133: icmp: echo reply
9: 15:46:42.814761 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
10: 15:46:48.297851 172.28.6.133 > 206.223.104.13: icmp: echo request
11: 15:46:48.314238 206.223.104.13 > 172.28.6.133: icmp: echo reply
12: 15:46:53.798176 172.28.6.133 > 206.223.104.13: icmp: echo request
13: 15:46:53.814472 206.223.104.13 > 172.28.6.133: icmp: echo reply
14: 15:46:59.298110 172.28.6.133 > 206.223.104.13: icmp: echo request
15: 15:46:59.314497 206.223.104.13 > 172.28.6.133: icmp: echo reply
16: 15:46:59.315672 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
17: 15:47:04.798191 172.28.6.133 > 206.223.104.13: icmp: echo request
18: 15:47:04.814594 206.223.104.13 > 172.28.6.133: icmp: echo reply
19: 15:47:04.815509 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
20: 15:47:10.298354 172.28.6.133 > 206.223.104.13: icmp: echo request
21: 15:47:10.314742 206.223.104.13 > 172.28.6.133: icmp: echo reply
22: 15:47:10.315642 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
23: 15:47:15.799366 172.28.6.133 > 206.223.104.13: icmp: echo request
24: 15:47:15.815707 206.223.104.13 > 172.28.6.133: icmp: echo reply
the message "host 172.28.6.133 unreachable - admin prohibited filter" makes me think I am being denied via an ACL on the ASA on either the INSIDE or WAN interface, but I have created multiple permit statement to allow IP and not just ICMP between the addresses. Do you have anything to try that could help? Thanks
06-14-2010 01:09 PM
Capture on the WAN interface:
Shows succesful ICMP echo-request from 172.28.6.133 to 206.223.104.13
Then, the ICMP echo-reply back
Then, you get this message:
3: 15:46:31.814945 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
Again, the NAT IP is trying to send ICMP to 206.28.6.133?
Aside from the error, the PING seems to be working, what problem are you having?
Federico.
06-14-2010 02:24 PM
the ICMP is going to 206.223.104.13.
The issue is the Server(192.168.103.59) being translated to 172.28.6.133 is not actually recieving the echo-reply, it is getting non-replys(timeouts) during the Ping.
06-14-2010 04:34 PM
Kevin,
As a test, could you allow ICMP on the outside ACL and try again?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide