Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
5
Helpful
6
Replies

Object NAT not translating

Go to solution
James Davies
Level 1
Level 1

‎11-29-2015 03:21 AM - edited ‎03-11-2019 11:57 PM

So, I have a range of public address's .104 /29

my outside interface is 106 on the ASA with the next hop as 105.

i have a SIP gateway server and have created object NAT for it, I did this in the ADSM, so the source address is 192.168.0.100 and the NAT translates this to .107 on the public address as the source.

unfortunately it's not working, the return traffic is going to 106 (the outside interface address) I cannot for the life of me work out why? Is there anything else I need to do? This is the last piece of work I need to do for a job and it's driving me nuts! Everything else works perfectly.

many thanks 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎11-29-2015 03:49 AM

Hi James,

Do you have some Manual NATs configured as well? I believe there might be some overlapping nat statements which might be causing this not to work.

Could you please share the nat statements which are present ?

Also for testing purpose you could try something like this :

nat (inside,outside) 1 source static <source-address of server behind inside interface> <mapped ip or 107>

Please let us know if after this it works?

also try with packet-tracer to check correct flow:

"packet-tracer input inside tcp(udp if sip signalling is udp based) <real-server ip> 5060 <destination ip> 5060(whatever destination using) detail"

with above statement see if packet hitting a correct nat statement.

Also check if SIP inspection is enabled? if now try enabling that and test "conf t)#fixup protocol sip 5060" and "fixup protocol sip udp 5060"

Hope it helps

Regards,

Akshay Rastogi

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎11-29-2015 03:49 AM

Hi James,

Do you have some Manual NATs configured as well? I believe there might be some overlapping nat statements which might be causing this not to work.

Could you please share the nat statements which are present ?

Also for testing purpose you could try something like this :

nat (inside,outside) 1 source static <source-address of server behind inside interface> <mapped ip or 107>

Please let us know if after this it works?

also try with packet-tracer to check correct flow:

"packet-tracer input inside tcp(udp if sip signalling is udp based) <real-server ip> 5060 <destination ip> 5060(whatever destination using) detail"

with above statement see if packet hitting a correct nat statement.

Also check if SIP inspection is enabled? if now try enabling that and test "conf t)#fixup protocol sip 5060" and "fixup protocol sip udp 5060"

Hope it helps

Regards,

Akshay Rastogi

0 Helpful

Go to solution
James Davies
Level 1
Level 1
In response to Akshay Rastogi

‎11-29-2015 11:35 AM

  1. I do have other NAT statements for my site to site vpns, and a global PAT for all Internet traffic, I was under the assumption object NAT would be performed first before any other natting.
  2. sip is being inspected.
  3. i don't know why my reply is being numbered lol

thanks for the reply, do I need another NAT statement as well as the object NAT?

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to James Davies

‎11-29-2015 08:42 PM

Hi James,

Manual NATs are processed first before Object or After auto nat. if there is any Manual NAT which is overlapping to your required one then your traffic might not work as expected.

Is your dynamic nat for internet is configured as manual nat?  if yes, then move it to object instead of manual nat. You do not need extra nat statement apart from object nat.

Try to check the flow through packet-tracer as i had mentioned in my last reply to see what  nat statement it might be hitting.

Regards,

Akshay Rastogi

Go to solution
James Davies
Level 1
Level 1
In response to Akshay Rastogi

‎11-30-2015 01:00 PM

Thank you Akshay,

did a few packet traces and fixed it, I had a manual any any NAT which I don't remember being there! It must of been hitting that rule first.

I deleted it and created it under object NAT, and placed it after my sip NAT.

seems to be working perfectly!

many thanks for helping.

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to James Davies

‎11-30-2015 05:15 PM

Hi James,

I am glad that it worked.

You're welcome.

Regards,

Akshay Rastogi

0 Helpful

Go to solution
Andre Neethling
Level 4
Level 4
In response to James Davies

‎11-29-2015 09:28 PM

HI. Can you provide the output of "show nat" or a screenshot of your nat rules from ASDM? We need to check how the nat is applied and the hits you are getting per rule.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card