cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2727
Views
0
Helpful
9
Replies

ASA 8.3 outgoing NAT not working right

moises7777
Level 1
Level 1

We recently upgraded our ASA to 8.3, most everything went ok, but I am having problems with outgoing nat. It seems that when one our systems that needs to be natted to an outside IP address when connecting out is not doing it. When that system goes out the ip address is our internet IP and not the natted address, however, inbound everything works.

We have one rule that does PAT

nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1

This is the natting statement that should be translating the addresses

object network obj-10.200.0.10
 nat (INSIDE,OUTSIDE) static 2.2.2.2

I think I need to double nat, is that right if so how?

1 Accepted Solution

Accepted Solutions

can you do this :

check the xlate for 10.200.0.10 by suing "show xlate | in 10.200.0.10" and then try doing:

clear local-host 10.200.0.10

and then try again.

If it doesn't work try takinga  packet-tracer:

packet-tracer input inside tcp 10.200.0.10 2345 1.1.1.1 5160 detailed

provide me the output.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

9 Replies 9

varrao
Level 10
Level 10

Hey Moises,

Could you please provide a copy of your config, the nat statement that you have provided:

nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1

looks perfect to me, all the users in the object OG_IP_NAT_DMZ would be dynamically natted to obj-1.1.1.1, just make sure you have the right hosts under these objects, do:

show run object | begin OG_IP_NAT_DMZ andf show run object | begin obj-1.1.1.1

The second nat staement is one to one mapping, mostly if any one wants to access the 10.200.0.10 ip they would do it on 2.2.2.2

so i gues you shouls be able to access internet. If you can provide a config, it would get easier to troubleshoot.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

Thanks for your reply!

I have advanced this issue a bit more. The problem is definetly nat. Our SIP provider states that we can not connect because the ip address that they are expecting is incorrect. Instead of coming out the static natted address they are coming out as our outside web address.

At this time we are trying double nat and its like this:

nat (INSIDE,OUTSIDE) source static obj-10.200.0.10 obj-ccm-translated (actual outside ip x.x.x.x)
destination static obj_any obj_any

We had other issues with nat statements today and most were resolved doing the above, however ,
not this issue. When I run packet tracer it shows its translation address

This is the output from the sh nat command

HoTasa# sh nat 10.200.0.10

Manual NAT Policies (Section 1)

2 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-ccm-translated destination static obj_any obj_any

    translate_hits = 21, untranslate_hits = 170

Auto NAT Policies (Section 2)

12 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 x.x.x.x

    translate_hits = 0, untranslate_hits = 145

Any help would be appriciated thanks.

If I understand the issue correctly, you should be falling into this nat:

object network obj-10.200.0.10
 nat (INSIDE,OUTSIDE) static 2.2.2.2

but the SIP provider see the request coming from the IP in this nat:

nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1

am I right????

if this is the case then it is nothing but taking precedence over the ststic one-to-one.

What I would suggest is, try removing the static on-to-one nat and add the following:

object network obj-2.2.2.2

  host 2.2.2.2

nat (inside,outside) 1 source static obj-10.200.0.10 obj-2.2.2.2

and you should see this working after it.

Hope this helps

Thanks,

Varun


					
				
			
			
				
Thanks,
Varun Rao

Yes you are correct, let me give it a shot,thanks!

Sure , let me know how it goes

Thanks,
Varun Rao

Unfortunelty that did not work. Although, that config is what I thought would work too. I did remove the 1 to 1 nat too.

1 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-OUTSIDEIP

    translate_hits = 1, untranslate_hits = 36

1 (INSIDE) to (OUTSIDE) source static obj-10.200.0.10 obj-OUTSIDEIP

    translate_hits = 5, untranslate_hits = 118

    Source - Origin: 10.200.0.10/32, Translated: X.X.X.X/32

can you do this :

check the xlate for 10.200.0.10 by suing "show xlate | in 10.200.0.10" and then try doing:

clear local-host 10.200.0.10

and then try again.

If it doesn't work try takinga  packet-tracer:

packet-tracer input inside tcp 10.200.0.10 2345 1.1.1.1 5160 detailed

provide me the output.

Thanks,

Varun

Thanks,
Varun Rao

That did it, clearing out the local host and your config fixed the issue. Thanks a bunch!

Heyyyy thats good..... it brought a bit of stubborness in me to get it resolved...:) all the best and thanks for the rating

Varun

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: