Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Auto NAT and outside pool ip address

Hi Everyone,

If i do Auto NAT  from DMZ  interface to outside  interface using config below

object network Auto_NAT

subnet 192.168.70.0 255.255.255.0                           *********************DMZ  subnet

description Auto NAT  DMZ Interface

object network Outside_pool

range 192.168.51.3 192.168.51.100

object network Auto_NAT

nat (DMZ,outside) dynamic Outside_pool

My outside interface has IP  of 192.168.71.2

I am unable to access the internet using above config 

when i change the range in outside_pool  to 192.168.71.3 192.168.71.100  i am able to access the internet.

Does this mean that using auto nat using dynamic NAT  the outside pool range should be in same subnet as outside interface  ip address?

Regards

MAhesh

13 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Auto NAT and outside pool ip address

Hi Mahesh,

The NAT Pool doesnt have to be the same network as the "outside" interfaces network.

But in that case you have to make sure that the router infront of the ASA knows about this NAT Pool network.

The router either needs

  • A route for the network used as the NAT Pool pointing towards the current "outside" interface IP address of the ASA
  • OR the router interface facing ASA needs an "secondary" address configured in the network that includes the NAT Pool used
    • In this case you also need the command "arp permit-nonconnected" enabled on the ASA

- Jouni

Re: Auto NAT and outside pool ip address

Hello Mahesh,

No it does not,

That behavior let us know that there is an ARP issue with those IP addresses,

Does the ISP side know that you have that range of IP addresses 192.168.51.x.

Also what version are you running as Proxy-ARP is disabled in some versions (8.4.3 and 8.6 if I am not wrong ) so the ASA will not proxy-arp for IP addresses not connected or on the same subnet than the ASA.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello,

The command that jounni recommend (arp permit non-connected) is available on that version

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello Mahesh,

The configuration on the ASA should remain the same.

On the Upstream device it should be:

no ip route 192.168.72.0 255.255.255.0 192.168.71.2

ip route 192.168.51.0 255.255.255.0 192.168.71.2

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello Mahesh,

Okey,

Please share both the config from L3 switch and ASA at the moment,

I will need to analize the configuration

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello,

Looks like we are receiving a Reset pacekt from the device on the lower security level.

The Deny TCP no connection could mean 2 things

1)Asymetric routing

2) Server is sending information after the connection was released on the ASA

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello Mahesh,

But I mean that traffic is on the same subnet, I mean 70.3 to 70.1...

Can you share the configuration please Or you can email me the setup

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello Mahesh,

Configuration looks good ( I did not see something wrong)

Add

fixup protocol icmp

cap capin interface inside match icmp any any eq 4.2.2.2

cap capout interface outside match icmp any any eq 4.2.2.2

Then ping from an inside PC to 4.2.2.2

and provide

show cap capin

show cap capout

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Re: Auto NAT and outside pool ip address

Hello Mahesh,

I must have been really tired when I send the capture syntax lol. It's completely wrong.

It should be

cap capdmz interface dmz match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

I am sorry

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

There are no packets comming back from the Switch.

Add the following to the ASA

arp permit-nonconnected

Can you share the show ip route from the Switch (I just need the entry for the 192.168.72.0)

also show arp | include 192.168.72.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello.

Do the following on the ASA side

arp permit non-connected and then try again

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello,

At the moment, the only thing that I could possibly think of is make sure that the router 192.168.5.3 has a route to the 192.168.72 subnet and that it's  also Natting this Subnet range

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Auto NAT and outside pool ip address

Hello Mahesh,

Well basically:

  • The ASA had the right configuration (we could see the packets going out to the outside interface)
  • We make sure the ASA reply to ARP packets not on the same subnet that it's interfaces (arp permit non-conected)
  • We make sure the Switch knew how to get to the subnet being used by the DMZ
  • I check the switch to see if the NAT was being done there but that was not the case so only 2 options more :A-the device doing the NAT does not include the subnet used by the DMZ.B- The device on the edge of the network does not know how to get to that subnet on the DMZ.

Long troubleshooting Mahesh But we did it.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
31 REPLIES
Super Bronze

Auto NAT and outside pool ip address

Hi Mahesh,

The NAT Pool doesnt have to be the same network as the "outside" interfaces network.

But in that case you have to make sure that the router infront of the ASA knows about this NAT Pool network.

The router either needs

  • A route for the network used as the NAT Pool pointing towards the current "outside" interface IP address of the ASA
  • OR the router interface facing ASA needs an "secondary" address configured in the network that includes the NAT Pool used
    • In this case you also need the command "arp permit-nonconnected" enabled on the ASA

- Jouni

New Member

Auto NAT and outside pool ip address

Hi Julio,

Something new learn today .

I will test that tomorrow.

Best regards

MAhesh

Re: Auto NAT and outside pool ip address

Hello Mahesh,

No it does not,

That behavior let us know that there is an ARP issue with those IP addresses,

Does the ISP side know that you have that range of IP addresses 192.168.51.x.

Also what version are you running as Proxy-ARP is disabled in some versions (8.4.3 and 8.6 if I am not wrong ) so the ASA will not proxy-arp for IP addresses not connected or on the same subnet than the ASA.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

IOS  is

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 7.1(2)

I will test it tomorrow after work

Regards

MAhesh

Auto NAT and outside pool ip address

Hello,

The command that jounni recommend (arp permit non-connected) is available on that version

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi jouni,

I config the Outside pool ip which was not from the outside interface of ASA.

Also on Switch which has direct connection to ASA outside interface ip i config command

3550SMIA(config)#ip route 192.168.72.0 255.255.255.0 192.168.71.2

where 192.168.71.2 is ASA outside interface ip.

Now i can not access the internet.

ciscoasa# sh xlate

1 in use, 3 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

       s - static, T - twice, N - net-to-net

NAT from DMZ:192.168.70.3 to outside:192.168.72.56 flags i idle 0:00:00 timeout 3:00:00

Regards

Mahesh

Auto NAT and outside pool ip address

Hello Mahesh,

The configuration on the ASA should remain the same.

On the Upstream device it should be:

no ip route 192.168.72.0 255.255.255.0 192.168.71.2

ip route 192.168.51.0 255.255.255.0 192.168.71.2

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

I change the outside_pool ip to subnet 192.168.72.0

object network Auto_NAT_DMZ

subnet 192.168.70.0 255.255.255.0

description Auto NAT  DMZ Interface

object network Outside_pool

range 192.168.72.3 192.168.72.100

Regards

MAhesh

Auto NAT and outside pool ip address

Hello Mahesh,

Okey.

And what happens, same thing?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Yea samething no internet from pc

but from asa i can ping internet

Auto NAT and outside pool ip address

Hello Mahesh,

Okey,

Please share both the config from L3 switch and ASA at the moment,

I will need to analize the configuration

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

Here is log from ASA

Aug 15 2013 22:09:08: %ASA-6-302014: Teardown TCP connection 8398 for DMZ:192.168.70.3/5703 to identity:192.168.70.1/443 duration 0:00:00 bytes 3619 TCP Reset-O

Aug 15 2013 22:09:08: %ASA-6-106015: Deny TCP (no connection) from 192.168.70.3/5703 to 192.168.70.1/443 flags FIN ACK  on interface D

Config is attached with original post.

Regards

Mahesh

Auto NAT and outside pool ip address

Hello,

Looks like we are receiving a Reset pacekt from the device on the lower security level.

The Deny TCP no connection could mean 2 things

1)Asymetric routing

2) Server is sending information after the connection was released on the ASA

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

As per this message seems its natting issue

Aug 15 2013 22:11:59: %ASA-6-110003: Routing failed to locate next hop for TCP from identity:192.168.70.1/443 to DMZ:192.168.70.3/5712

where 70.3  is pc ip

70.1  is DMZ  interface

Regards

mahesh

Auto NAT and outside pool ip address

Hello Mahesh,

But I mean that traffic is on the same subnet, I mean 70.3 to 70.1...

Can you share the configuration please Or you can email me the setup

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

config is atatched under the original post.

Regards

Mahesh

Auto NAT and outside pool ip address

Hello Mahesh,

Configuration looks good ( I did not see something wrong)

Add

fixup protocol icmp

cap capin interface inside match icmp any any eq 4.2.2.2

cap capout interface outside match icmp any any eq 4.2.2.2

Then ping from an inside PC to 4.2.2.2

and provide

show cap capin

show cap capout

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

I will test that later today and will update you.

Yesterday i ran the packet capture when i did ping to 4.2.2.2    and  i did show packet for inside  interface it was 0 packets

but outside interface  was showing some output.

I will do again today after putting the command fixup protocol icmp.

Regards

Mahesh

Auto NAT and outside pool ip address

Hello Mahesh,

Then it would be a problem with the LAN as the traffic is not reaching the ASA, make sure the computers have the right default gateway.

Note: we are testing from a 10.x.x.x host right?

Let us know any update

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Auto NAT and outside pool ip address

Hi Julio,

Below command does not work

ap capture  interface  DMZ match  icmp  any any  eq 4.2.2.2

                                                             ^

ERROR: % Invalid Hostname

Also i am behind the DMZ  subnet  192.168.70.x

Also here is more info

ciscoasa# debug icmp trace

debug icmp trace enabled at level 1

ciscoasa# ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=17

len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=18 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=19 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=20 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=21 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=22 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=23 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=24 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.

Where 192.168.70.4  is PC  IP 

Thanks

Mahesh

Re: Auto NAT and outside pool ip address

Hello Mahesh,

I must have been really tired when I send the capture syntax lol. It's completely wrong.

It should be

cap capdmz interface dmz match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

I am sorry

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi  Julio,

Thanks  for replying back

ciscoasa# sh cap capdmz

4 packets captured

   1: 23:36:38.000350       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

   2: 23:36:42.849779       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

   3: 23:36:47.841860       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

   4: 23:36:52.849428       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

4 packets shown

ciscoasa# sh cap capout

36 packets captured

   1: 22:03:42.616057       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   2: 22:03:47.348538       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   3: 22:03:52.340741       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   4: 22:03:57.348233       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   5: 22:06:25.034544       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   6: 22:06:29.839144       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   7: 22:06:34.846864       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   8: 22:06:39.838854       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   9: 22:08:08.405313       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  10: 22:08:13.345929       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  11: 22:08:18.337842       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  12: 22:08:23.345486       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  13: 22:08:28.337491       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  14: 22:51:16.824237       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  15: 22:51:21.333799       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  16: 22:51:26.333066       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  17: 22:51:31.334409       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  18: 22:52:32.936276       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  19: 22:52:37.844743       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  20: 22:52:42.834734       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  21: 22:52:47.834185       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  22: 22:52:52.834307       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  23: 22:52:57.834643       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  24: 22:53:02.834917       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  25: 22:53:07.834246       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  26: 22:53:12.834536       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  27: 22:53:17.845979       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  28: 22:53:22.834154       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  29: 22:53:27.834475       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  30: 22:53:32.834780       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  31: 22:53:37.834078       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  32: 22:53:42.833422       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  33: 23:36:38.000671       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

  34: 23:36:42.850084       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

  35: 23:36:47.842104       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

  36: 23:36:52.849733       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

36 packets shown

ciscoasa#

Regards

Mahesh

Auto NAT and outside pool ip address

There are no packets comming back from the Switch.

Add the following to the ASA

arp permit-nonconnected

Can you share the show ip route from the Switch (I just need the entry for the 192.168.72.0)

also show arp | include 192.168.72.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

Here is info

3550SMIA#show arp | include 192.168.72.56

3550SMIA#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.5.3 to network 0.0.0.0

S    192.168.72.0/24 [1/0] via 192.168.71.2

     100.0.0.0/32 is subnetted, 1 subnets

O       100.100.100.100 [110/3] via 192.168.5.3, 5d02h, FastEthernet0/11

     3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

O       3.3.3.3/32 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11

C       3.4.4.0/24 is directly connected, Loopback0

C    192.168.30.0/24 is directly connected, Vlan30

     64.0.0.0/32 is subnetted, 1 subnets

O E2    64.59.135.150 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

S    192.168.77.0/24 [1/0] via 192.168.10.2

C    192.168.10.0/24 is directly connected, Vlan10

     172.31.0.0/24 is subnetted, 4 subnets

O E2    172.31.3.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2    172.31.2.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2    172.31.1.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2    172.31.0.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O    192.168.98.0/24 [110/2] via 192.168.99.1, 5d02h, FastEthernet0/8

C    192.168.99.0/24 is directly connected, FastEthernet0/8

C    192.168.20.0/24 is directly connected, Vlan20

     192.168.5.0/31 is subnetted, 1 subnets

C       192.168.5.2 is directly connected, FastEthernet0/11

     192.168.6.0/31 is subnetted, 1 subnets

O       192.168.6.2 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11

S    192.168.69.0/24 [1/0] via 192.168.10.2

C    192.168.71.0/24 is directly connected, FastEthernet0/22

O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 5d02h, FastEthernet0/11

3550SMIA#

Regards

MAhesh

Auto NAT and outside pool ip address

Hello.

Do the following on the ASA side

arp permit non-connected and then try again

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

No luck

Auto NAT and outside pool ip address

Hello,

At the moment, the only thing that I could possibly think of is make sure that the router 192.168.5.3 has a route to the 192.168.72 subnet and that it's  also Natting this Subnet range

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Auto NAT and outside pool ip address

Hi Julio,

Seems adding static route did the magic to the router

2691Router(config)#ip route 192.168.72.0 255.255.255.0 192.168.5.2

2691Router(config)#end

2691Router#

Now i can access the internet from pc and also ping works fine.

Can you tell how adding route to router made the difference?

Regards

MAhesh

Auto NAT and outside pool ip address

Hello Mahesh,

Well basically:

  • The ASA had the right configuration (we could see the packets going out to the outside interface)
  • We make sure the ASA reply to ARP packets not on the same subnet that it's interfaces (arp permit non-conected)
  • We make sure the Switch knew how to get to the subnet being used by the DMZ
  • I check the switch to see if the NAT was being done there but that was not the case so only 2 options more :A-the device doing the NAT does not include the subnet used by the DMZ.B- The device on the edge of the network does not know how to get to that subnet on the DMZ.

Long troubleshooting Mahesh But we did it.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
701
Views
0
Helpful
31
Replies
CreatePlease login to create content