cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
706
Views
0
Helpful
4
Replies

ASA 8.2 - NAT problem, no entries generate in xlate table

Ignat Sitnikov
Level 1
Level 1

Hello,

We had an issue today at one of the unmanned locations. When the local tech went on site he was not able to reach anything on the internet. I started troubleshooting and noticed no entries in the xlate table. The NAT statements were all correct so this was rather puzzling. 

I proceeded to stare and compare this site with a working one. I noticed that some inspection, service-policy and global-policy statements were missing. I knew that inspection shouldn't be a culprit of this but i went ahead and pasted in everything that was missing:

 

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global

 

After config was applied entries in the xlate table started to generate and everything was good. 

Now I did some research on the internet but couldn't find an answer to my question. Can somebody help me understand which line exactly fixed this issue (I know it wasn't the inspection that I applied)? Does this have to do with missing service-policy that points to global_policy statement?

4 Replies 4

Faruk Azam
Level 1
Level 1

Without knowing what commands you had previously and what was exactly added after, we cannot say which command fixed the issue.

 

You can apply the commands one per line to see what command fixed your issue if you want to do that, but this will require you to remove the syntax first; which can cause service interruption.

 

I suggest reading the ASA NAT Implementation Guide to get an understanding of ASA NAT, which I think will be more helpful.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html

 

Well we know exactly what I added...Its in the body of my original post...

Obviously I can't remove those commands now and add them line by line because that would break internet for the site...

I already read through the link you mentioned. There is nothing there in regards to the commands I applied to fix this issue. 

Provide following information:

>> ASA version.

>> Mode: routed/transparent?

>> single/multiple context?

>> failover/ standalone?

 

Thanks

R.seth

 

ASA version: 8.2(5)55

Mode: Routed

Context: Single

Standalone

 

Thank you for reply.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: