Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 not translation static NAT

I am trying to get a telnet server that is behind my inside interface on my ASA5520 to statically map to an IP that is on the outside interface. Not having much luck with the following config:

object network PublicServer_NAT1

host 172.16.0.5

access-list outside_access_in_1 extended permit tcp any host 172.16.0.5 eq telnet

object network PublicServer_NAT1

nat (inside,outside) static A_10.90.55.150

access-group inside_access_in in interface inside

access-group outside_access_in_1 in interface outside

As from the config above, I would like to get my telnet server with private IP 172.16.0.5 to have a public NAT'd IP of 10.90.55.150 for telnet only. Not sure what I am missing.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 5520 not translation static NAT

Great to hear that it's been corrected. Please kindly mark the post answered if you have no further question. Thanks.

6 REPLIES
Cisco Employee

Re: ASA 5520 not translation static NAT

Sorry, just want to confirm whether you are using a spare public ip in the same subnet as your outside interface, or you are actually trying to NAT to the outside interface IP itself.

Have you "clear xlate" after the changes?

Also, you might want to "clear arp" on your upstream router.

New Member

Re: ASA 5520 not translation static NAT

I should have mentioned that the IP I was translating too was a part of my assigned IP block, but NOT the IP of my outside interface on the ASA.

I will try to clear my ARP cache on my upstream router and "clear xlate" on my ASA5520.

Does my configuration look correct? Did I get the access-list correct?

Thanks!

Cisco Employee

Re: ASA 5520 not translation static NAT

Spot on, looks correct to me.

Cisco Employee

Re: ASA 5520 not translation static NAT

Ken,

There is this defect

CSCti38867    ASA: May not proxy arp on certain interfaces

Pls. try the work around.

Symptom:
ASA may fail to proxy arp for the global addresses configured.

Conditions:
This was first identified on ASA running 8.3.1 as well as 8.3.2

Workaround:
Add a static arp for the translated address on the upstream layer 3 device
pointing to the ASA's outside interface MAC.


-KS

New Member

Re: ASA 5520 not translation static NAT

Uhm. Well. Looks like an error between keyboard and chair.

The server did not have the correct default router. It would get the request from the ASA, but have no way to respond back to the original request. So the original request would end with a TCP SYN timeout.

Glad its corrected.

Cisco Employee

Re: ASA 5520 not translation static NAT

Great to hear that it's been corrected. Please kindly mark the post answered if you have no further question. Thanks.

1425
Views
0
Helpful
6
Replies
CreatePlease login to create content