ASA 8.3 outgoing NAT not working right

Answered Question
Jul 12th, 2011

We recently upgraded our ASA to 8.3, most everything went ok, but I am having problems with outgoing nat. It seems that when one our systems that needs to be natted to an outside IP address when connecting out is not doing it. When that system goes out the ip address is our internet IP and not the natted address, however, inbound everything works.

We have one rule that does PAT

nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1

This is the natting statement that should be translating the addresses

object network obj-10.200.0.10
 nat (INSIDE,OUTSIDE) static 2.2.2.2

I think I need to double nat, is that right if so how?

I have this problem too.
0 votes
Correct Answer by varrao about 2 years 9 months ago

can you do this :

check the xlate for 10.200.0.10 by suing "show xlate | in 10.200.0.10" and then try doing:

clear local-host 10.200.0.10

and then try again.

If it doesn't work try takinga  packet-tracer:

packet-tracer input inside tcp 10.200.0.10 2345 1.1.1.1 5160 detailed

provide me the output.

Thanks,

Varun

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
varrao Tue, 07/12/2011 - 11:03

Hey Moises,

Could you please provide a copy of your config, the nat statement that you have provided:

nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1

looks perfect to me, all the users in the object OG_IP_NAT_DMZ would be dynamically natted to obj-1.1.1.1, just make sure you have the right hosts under these objects, do:

show run object | begin OG_IP_NAT_DMZ andf show run object | begin obj-1.1.1.1

The second nat staement is one to one mapping, mostly if any one wants to access the 10.200.0.10 ip they would do it on 2.2.2.2

so i gues you shouls be able to access internet. If you can provide a config, it would get easier to troubleshoot.

Hope this helps

Thanks,

Varun

moises7777 Tue, 07/12/2011 - 11:47

Thanks for your reply!

I have advanced this issue a bit more. The problem is definetly nat. Our SIP provider states that we can not connect because the ip address that they are expecting is incorrect. Instead of coming out the static natted address they are coming out as our outside web address.

At this time we are trying double nat and its like this:

nat (INSIDE,OUTSIDE) source static obj-10.200.0.10 obj-ccm-translated (actual outside ip x.x.x.x)
destination static obj_any obj_any

We had other issues with nat statements today and most were resolved doing the above, however ,
not this issue. When I run packet tracer it shows its translation address

This is the output from the sh nat command

HoTasa# sh nat 10.200.0.10

Manual NAT Policies (Section 1)

2 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-ccm-translated destination static obj_any obj_any

    translate_hits = 21, untranslate_hits = 170

Auto NAT Policies (Section 2)

12 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 x.x.x.x

    translate_hits = 0, untranslate_hits = 145

Any help would be appriciated thanks.

varrao Tue, 07/12/2011 - 11:56

If I understand the issue correctly, you should be falling into this nat:

object network obj-10.200.0.10
 nat (INSIDE,OUTSIDE) static 2.2.2.2

but the SIP provider see the request coming from the IP in this nat:

nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1

am I right????

if this is the case then it is nothing but taking precedence over the ststic one-to-one.

What I would suggest is, try removing the static on-to-one nat and add the following:

object network obj-2.2.2.2

  host 2.2.2.2

nat (inside,outside) 1 source static obj-10.200.0.10 obj-2.2.2.2

and you should see this working after it.

Hope this helps

Thanks,

Varun

moises7777 Tue, 07/12/2011 - 12:33

Unfortunelty that did not work. Although, that config is what I thought would work too. I did remove the 1 to 1 nat too.

1 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-OUTSIDEIP

    translate_hits = 1, untranslate_hits = 36

1 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-OUTSIDEIP

    translate_hits = 5, untranslate_hits = 118

    Source - Origin: 10.200.0.10/32, Translated: X.X.X.X/32

Correct Answer
varrao Tue, 07/12/2011 - 12:38

can you do this :

check the xlate for 10.200.0.10 by suing "show xlate | in 10.200.0.10" and then try doing:

clear local-host 10.200.0.10

and then try again.

If it doesn't work try takinga  packet-tracer:

packet-tracer input inside tcp 10.200.0.10 2345 1.1.1.1 5160 detailed

provide me the output.

Thanks,

Varun

moises7777 Tue, 07/12/2011 - 12:47

That did it, clearing out the local host and your config fixed the issue. Thanks a bunch!

varrao Tue, 07/12/2011 - 12:49

Heyyyy thats good..... it brought a bit of stubborness in me to get it resolved...:) all the best and thanks for the rating

Varun

Actions

Login or Register to take actions

This Discussion

Posted July 12, 2011 at 10:48 AM
Stats:
Replies:9 Avg. Rating:
Views:1524 Votes:0
Shares:0
Tags: nat, asa, 8.3
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446