I wanted to create a static NAT by following Cisco's documentation for ASA 9.1 firmware. Inside network is using PAT without any issues but ASA is not doing NAT for some internal servers from outside. I tried to troubleshoot but I have nothing else left to check. Can you please look at my config and let me knnow if there is anything wrong? I am trying to use permit all ACL until my config works. Thanks.
ASA Version 9.1(4)
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
ip address 10.10.1.5 255.255.255.252
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
no ip address
no ip address
ip address 184.108.40.206 255.255.255.192
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network WEB
object network RAS
object network box
object network inside_network
subnet 10.0.0.0 255.0.0.0
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit gre any any
I've found out after checking with packet tracer, it looks like inbound connection is failing because of rpf-check. how can I make sure that return traffic from servers follow back their original NAT connection?
The most common reason that the "packet-tracer" might fail with the RPF Check is if you use the actual private IP address as the destination in the "packet-tracer" command.
That or some problems with the NAT configurations but that doesnt seem likely considering your simple NAT configuration.
It would still help to see the actual "packet-tracer" output I suggested originally.
You should be seeing an UN-NAT Phase at the very start of the output which would tell the destination address of the "packet-tracer" matches one of your NAT configurations. Then you should see a ACCESS-LIST Phase which shows an interface ACL allowing the connection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...