Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 9.1 NAT with Dynamic PAT, Something I have missed??

I have a very basic config, a couple of static NATs, and a default dynamic PAT.  Started to add the VPN stuff, but thought I would test it first. 

So, defined all the objects, nats, defined the pat, and tested it.  The PAT works great.  The order shows all NAT's (static and PAT) fell properly into section 2 in the right order, but static NAT's aren't working.  I have stared at this long enough that although I am sure it is something simple I am forgetting, I have gone code-blind.  Another set of eyes on the config would be greatly appreciated.

 

The show nat gives me:

firewall# show nat

Auto NAT Policies (Section 2)
1 (Internal-192-LAN) to (Internet) source static GreyGw-Obj 12.204.223.229
    translate_hits = 80, untranslate_hits = 0
2 (Internal-192-LAN) to (Internet) source static ShahServer-Obj 12.204.223.226
    translate_hits = 10, untranslate_hits = 0
3 (Internal-192-LAN) to (Internet) source static AVLServer-Obj 12.204.223.231
    translate_hits = 1, untranslate_hits = 0
4 (Internal-10-LAN) to (Internet) source dynamic Internal-10-LAN-Net interface
    translate_hits = 0, untranslate_hits = 0
5 (Internal-192-LAN) to (Internet) source dynamic Internal-192-LAN-Net interface
    translate_hits = 9415, untranslate_hits = 32
firewall#

which shows the proper order, the statics first, followed by the dynamic, and the access lists are (seemingly) correct, hits would tend to indicate some traffic, but you can't connect to any of the services on the static NAT servers.  Thought it might be the access-list not right, but I can't see it.

 

Can somebody cast a glance at this and let me know the (evidently obvious) thing I am missing?  Thanks!

Jerry

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, To confirm what NAT

Hi,

 

To confirm what NAT configuration is applied to connections I would suggest using the "packet-tracer" command

 

packet-tracer input Internet tcp <source ip> 12345 <public ip> <port>

 

The above "show nat" output would seem to suggest that no traffic has arrived to the ASA that has matched those Static NAT configurations because we should be seeing "untranslate_hits". You should also see this "UN-NAT" phase in the output of the "packet-tracer" command.

 

I would imagine that the ACL attached to your external interface should not be the cause either since the NAT should be matched first before the ASA checks the ACL.

There are occasions where the ASA simply doesnt apply the NAT configurations as its supposed to. Even if everything looks fine with every single command.

 

In that case its sometimes worth altering the format of the NAT configuration a bit. You could for example change your Dynamic PAT configurations to only contain this configurations which would work for all of your internal networks.

 

nat (any,Internet) after-auto source dynamic any interface

 

This NAT configurations would essentially match any source address behind any source interface and perform Dynamic PAT to it when the traffic is heading out through the "Internet" interface.
 

Hope this helps :)

 

- Jouni

2 REPLIES
Super Bronze

Hi, To confirm what NAT

Hi,

 

To confirm what NAT configuration is applied to connections I would suggest using the "packet-tracer" command

 

packet-tracer input Internet tcp <source ip> 12345 <public ip> <port>

 

The above "show nat" output would seem to suggest that no traffic has arrived to the ASA that has matched those Static NAT configurations because we should be seeing "untranslate_hits". You should also see this "UN-NAT" phase in the output of the "packet-tracer" command.

 

I would imagine that the ACL attached to your external interface should not be the cause either since the NAT should be matched first before the ASA checks the ACL.

There are occasions where the ASA simply doesnt apply the NAT configurations as its supposed to. Even if everything looks fine with every single command.

 

In that case its sometimes worth altering the format of the NAT configuration a bit. You could for example change your Dynamic PAT configurations to only contain this configurations which would work for all of your internal networks.

 

nat (any,Internet) after-auto source dynamic any interface

 

This NAT configurations would essentially match any source address behind any source interface and perform Dynamic PAT to it when the traffic is heading out through the "Internet" interface.
 

Hope this helps :)

 

- Jouni

New Member

Hey! Thanks for taking a look

Hey!

 

Thanks for taking a look.  I changed the dynamic to section 3 like you suggested.  I like that much better, gives a cleaner config and logical layout, and for what they were needing it will work fine.  But, that wasn't the problem.  You hit it when you said "... would seem to suggest that no traffic has arrived..."   Turns out that their ISP (AT&T) front-ends this with a 3825 router and it wasn't updating it's CAM table in any kind of timely manner.  A simple "oops, was that your power cable?? sorry about that AT&T" worked like a champ! :-)  When their router booted back up and actually did an ARP properly, all was NAT'ting like it was supposed too!  Thanks a bunch!!!  I stared at that config for hours scratching my head.  Why would anyone want to monkey with an ARP time setting it beyond me.  It's not like you are going to flood the link with ARP's....  :-P

 

Thanks again!!  :-)

113
Views
0
Helpful
2
Replies
CreatePlease to create content