03-01-2014 03:55 AM - edited 03-11-2019 08:52 PM
Hi,
I am using ASA 5505 version 9.1(4) and using dynamic NAT command to NAT(PAT) inside subnet 192.168.3.0/24 with outside interface 192.168.100.2/24
But unable to ping from inside host to internet or router interface 192.168.100.1 . Please suggest the show running is mentioned below.
Following is the logical diagram
192.168.100.1/24 192.168.100.2/24 192.168.3.1
Internet(ISP) ------------------->------------------ Router------------------------->(e0/0) ASA 5505 (9.1) eth0/4 ----- ---------- Host (192.168.3.22)
ASA Version 9.1(4)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
ciscoasa(config)# object network Generic_All_Network
ciscoasa(config-network-object)# sub
ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
ciscoasa(config-network-object)# ex
ciscoasa(config)# nat (inside,outside) source dynamic Generic_All_Network inte$
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: fe5175c6 25dfd45a 117bd6e3 867486db
3211 bytes copied in 1.120 secs (3211 bytes/sec)
[OK]
ciscoasa(config)# sh run
: Saved
:
ASA Version 9.1(4)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
!
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source dynamic Generic_All_Network interface
!
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:fe5175c625dfd45a117bd6e3867486db
: end
Solved! Go to Solution.
03-01-2014 08:47 AM
Is there a specific reason why you are NATing on the ASA? Is the router managed by your company?
--
Please remember to rate and select a correct answer
03-01-2014 09:37 AM
Just for testing and eliminating add a permit ip any any to the outside interface.
access-list test extended permit ip any any
access-group test in interface outside
and then test again please.
--
Please remember to rate and select a correct answer
03-01-2014 07:34 AM
Please remove the following command
nat (inside,outside) source dynamic Generic_All_Network interface
You already have a dynamic NAT for the inside hosts:
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) dynamic interface
does the router have a route back to the 192.168.3/24 network?
could you issue a packet tracer on the ASA and post the output here please.
packet-tracer input inside tcp 192.168.3.22 1234 4.2.2.2 80 detail
--
Please remember to rate and select a correct answer
03-01-2014 07:47 AM
Following is the output from packet tracer
ciscoasa# packet-tracer input inside tcp 192.168.3.22 1234 4.2.2.2 80 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb12af48, priority=1, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb202db8, priority=13, domain=permit, deny=false
hits=0, user_data=0xc9234ab0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Generic_All_Network interface
Additional Information:
Dynamic translate 192.168.3.22/1234 to 192.168.100.2/1234
Forward Flow based lookup yields rule:
in id=0xcb1fcee0, priority=6, domain=nat, deny=false
hits=0, user_data=0xcb1fc080, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc7669ae8, priority=1, domain=nat-per-session, deny=false
hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1e86f8, priority=0, domain=host-limit, deny=false
hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic Generic_All_Network interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb1fd6f0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xcb1fc138, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc7669ae8, priority=1, domain=nat-per-session, deny=false
hits=2, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb1e3f10, priority=0, domain=inspect-ip-options, deny=true
hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
03-01-2014 08:05 AM
Well, the packet is allowed through the ASA, which leads me to believe this is a routing issue on the router...or more acurately, this is a NAT issue on the ASA. Really depends on how you want to look at it.
Why are you NATing on the ASA when you have a router between the ASA and the internet?
I suspect that the router has an incorrect route with regards the inside network being NATed. If the router is managed by you, then I suggest removing all NAT configuration on the ASA and perform NAT on the router.
--
Please remember to rate and select a correct answer
03-01-2014 08:18 AM
If packet is allowed through ASA then how is it NAT issue?
03-01-2014 08:37 AM
Please see below trace for icmp its dropped.
ciscoasa(config)# packet-tracer input inside icmp 192.168.3.22 12 34 4.2.2.2 d$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb202db8, priority=13, domain=permit, deny=false
hits=2, user_data=0xc9234ab0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside_hosts
nat (inside,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb200698, priority=6, domain=nat, deny=false
hits=1, user_data=0xcb1fc1f0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcab4fd00, priority=0, domain=nat-per-session, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true
hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb7774d0, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0xcb7769f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1ba5e8, priority=66, domain=inspect-icmp-error, deny=false
hits=1, user_data=0xcb1b9bf8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1e86f8, priority=0, domain=host-limit, deny=false
hits=3, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-01-2014 08:14 AM
Does 192.168.3.0/24 requires any route in the Router because it will be NAT with outside interface. first
ASA required to create an IPSEC tunnel, but first need to resolve NAT issue.
Message was edited by: Rizwan Siddiqi
03-01-2014 08:39 AM
problem is in this phase
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcab4fd00, priority=0, domain=nat-per-session, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true
hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
03-01-2014 08:45 AM
could you post the output of the command please:
show service-policy inspect ip-options
--
Please remember to rate and select a correct answer
03-01-2014 08:47 AM
Is there a specific reason why you are NATing on the ASA? Is the router managed by your company?
--
Please remember to rate and select a correct answer
03-01-2014 08:58 AM
Also check your logs when you ping the router. This could give some helpful pointers as to what is dropping the packet.
--
Please remember to rate and select a correct answer
03-01-2014 09:00 AM
Fiber is terminating at router.
03-01-2014 08:57 AM
ciscoasa(config)# show service-policy inspect ip-options
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Router Alert: allow 0, clear 0
03-01-2014 09:07 AM
I ping from inside interface and get following output
ciscoasa(config)# ping
TCP Ping [n]:
Target IP address: 192.168.100.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
%ASA-6-110003: Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.3.1/0 to inside:192.168.100.1/0
?????
Success rate is 0 percent (0/5)
ciscoasa(config)# %ASA-5-111008: User 'enable_15' executed the 'ping' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping'
ciscoasa(config)#
03-01-2014 09:10 AM
Do you have any idea about nat-per-session for icmp because for it deny = true see below output
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcab4fd00, priority=0, domain=nat-per-session, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true
hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: