Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 NAT Failing

Reposting in a new thread since the old one seems to have died...

I'm migrating from a PIX 515 to an ASA 5520. The config was created using the PIX to ASA migration tool. The ASDM Packet Tracer shows outbound traffic failing due to NAT.

Config

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (199.216.81.20)

translate_hits = 971, untranslate_hits = 74

The old PIX config:

global (outside) 1 199.216.81.20

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The new ASA config:

global (outside) 1 199.216.81.20 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

Any thoughts on why it might be failing?

Rob

20 REPLIES

Re: ASA 5520 NAT Failing

Try taking the netmask off of the global config. If your outside address is the one that you want to nat to, you can just put interface:

global (outside) 1 interface

nat (inside) 1 0 0

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: ASA 5520 NAT Failing

Removed the netmask, same issue. The interface IP is not the same as the outside address so I can't use the interface.

Screenshot attached - port 80 trace to google's IP.

Re: ASA 5520 NAT Failing

In your screenshot it says that "flow is denied by configured rule." Do you have any acls on the inside interface?

HTH, John *** Please rate all useful posts ***

Re: ASA 5520 NAT Failing

Robert,

what about this?

!

no global (outside) 1 199.216.81.20 netmask 255.255.255.255

global (outside) 1 199.216.81.20 netmask

Toshi

Community Member

Re: ASA 5520 NAT Failing

Tried it. Same results.

Re: ASA 5520 NAT Failing

Robert,

Please provide us with the configuration on the ASA.

Toshi

Community Member

Re: ASA 5520 NAT Failing

No - no ACL on the inside interface, just the 2 implicit rules that are there by default - permit all traffic to a less secure interface (in this case inside is 100 by default and outside is 0 so all traffic should pass) and the implicit deny any any.

Hall of Fame Super Blue

Re: ASA 5520 NAT Failing

Robert

Not familiar with ASDM but -

1) Can you try to access Internet from internal client

2) If you have tied this what is result ?

3) Do you have correct routing setup ?

Perhaps you could post config with description of IP addresses ie. src/destination etc..

Jon

Community Member

Re: ASA 5520 NAT Failing

Jon,

1) No internet access, page cannot be displayed. Can't ping from a client either.

3) Yes. All physical and logical connections are the same. I've even spoofed the MAC addresses of the PIX on the ASA interfaces.

When monitoring the ASA, there's plenty of traffic coming IN, so the ACL I have on that interface seems to be working. However there is absolutely zero traffic going out the outside interface.

I'm about ready to ship this thing back to Cisco.

Posting a config.

Re: ASA 5520 NAT Failing

Robert,

I just want to know where the default route is. (Go fix it)

"I'm about ready to ship this thing back to Cisco. " Guys , Don't give up.(grin)

HTH,

Toshi

Hall of Fame Super Blue

Re: ASA 5520 NAT Failing

Robert

You don't have a default route so the ASA doesn't know where to send packets. So you need to add

route (outside) 0.0.0.0 0.0.0.0

where next-hop IP is the ISP router address. It will be out of the 199.216.81.0/24 subnet.

Jon

Community Member

Re: ASA 5520 NAT Failing

Jon,

Sorry in my haste (and frustration) I posted an incomplete config. The default route (and some other static routes) are there. I'm uploading the correct output.

I'm actually getting a "Network Timeout" when trying to browse from a client machine. Traffic looks like it's leaving but maybe not coming back?

With the PIX in place I can ping that default route - 199.216.81.1 - however with the ASA in place I cannot - although I suspect that might just be ICMP traffic being denied.

Hall of Fame Super Blue

Re: ASA 5520 NAT Failing

Robert

No problem. Can you specify the source IP address you are pinging from and the destination IP address you are pinging to ?

Thanks

Jon

Community Member

Re: ASA 5520 NAT Failing

Jon,

I was pinging from 172.16.130.67 to 199.216.81.1 (the default route).

Also tried pinging google - 74.125.127.99 - same source IP.

Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)

Hall of Fame Super Blue

Re: ASA 5520 NAT Failing

"Ever see Office Space? This ASA is looking more and more like the fax machine from that movie... :)"

Is that a movie ? - never seen it but don't despair.

172.16.130.67 is part of the management vlan. What happens if you ping from an internal IP address that is not part of the management vlan. Is this possible ?

Jon

Community Member

Re: ASA 5520 NAT Failing

Yes it's a movie and I recommend it. :)

Now some good news - I can surf from our remote sites on other subnets. Jon thank you for suggesting that. Some progress!

What do I need to change to allow 172.16.128.0/22 ?

Hall of Fame Super Blue

Re: ASA 5520 NAT Failing

Robert

"What do I need to change to allow 172.16.128.0/22 ?"

Not sure to be honest. Is there a reason why you want the management vlan to be able to access the Internet as the management vlan is primarily for managing the ASA device not providing access ?

Office Space - okay if i can find it i'll have a look but it had better be good :-)

Jon

Community Member

Re: ASA 5520 NAT Failing

It's not actually the management vlan it's the subnet of our main office where the device is housed. I was using that to remote configure the device.

Ultimately I need to change the ip/subnet/vlan of the management interface.

Hall of Fame Super Blue

Re: ASA 5520 NAT Failing

Robert

I suspect the issues you are experiencing are to do with the fact you are using the management interface.

It's times like these i wish i had an ASA device to play with :-)

Jon

Community Member

Re: ASA 5520 NAT Failing

Jon,

Well, I removed all references to that management interface - shut it right down and unplugged it.

I remain able to surf at our remote sites, but not here at the central office.

Rob

313
Views
5
Helpful
20
Replies
CreatePlease to create content