So the scenario is that we have an exchange server with one leg on the Inside interface (my DMZ) and I want to NAT that to one of my public range of addresses. These are nnn.nn.n.232/29. The ISP has .233, the ASA outside interface is .234 and I want to use .235 as the static NAT to xxx.xx.199.10 (out inside DMZ network).
class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp
inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:2005faa8a0512f111117f8a6cb654888 : end
I can't seem to get it working even though the packet tracer says it should work. Here is the "sh xlate" output.
MAIN-ASA# sh xlate 6 in use, 200 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from outside:0.0.0.0/0 to any:0.0.0.0/0 flags sIT idle 0:11:24 timeout 0:00:00 NAT from any:192.168.199.11 to outside:18.104.22.168 flags sT idle 0:11:24 timeout 0:00:00 NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 0:55:57 timeout 0:00:00 TCP PAT from inside:yyy.yyy.0.215/63102 to outside:nn.nn.5.234/63102 flags ri idle 0:54:45 timeout 0:00:30 UDP PAT from inside:yyy.yyy.0.40/6881 to outside:nn.nn.5.234/6881 flags ri idle 0:00:01 timeout 0:00:30 TCP PAT from inside:yyy.yyy.0.95/50020 to outside:nn.nn.5.234/50020 flags ri idle 0:00:48 timeout 0:00:30
Thanks for looking Jon, actually, I built it using ASDM (I know, call myself an engineer) and I just set up a static NAT from an address on the inside interface to an address in the range that the ISP assigned to us. The outside (public) address is not pingable but I changed my outside interface to the address I want to NAT just to see if it was a routing issue and then I can ping the public address from the WWW. I had to change it back to allow outgoing access from my other users (they PAT to the interface address (.234) and that side all works.
Do I need to NAT to a physical interface address? I thought I could just create a network object and NAT to that?
I won't be able to look at this until Thursday now as I am at another customer for the next few days, I have turn on ICMP via ASDL so assume it should work. I did notice on my "sh xlate" results this.....
"NAT from outside:0.0.0.0/0 to any:0.0.0.0/0 flags sIT idle 0:11:24 timeout 0:00:00"
though I don't remember adding that rule, I wonder if this is masking my rule?
Plan of attack for Thursday is to remove my rule and start again as an outbound rule but with the "both ways" enabled.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...