Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

basic nat not working

I am trying to set up a basic configuration and cant figure out why nat is not working. 

my  outside vlan 2 ping public ip address

my inside  vlan 1 does not ping anything public ,

i have

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

not sure why it does not work. do I need acls?

Pleaes see my config attached

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

basic nat not working

Hello Alex,

Thanks for letting us know the solution 

Please mark the question as answered so future users can learn from the same issue you had.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
11 REPLIES
Super Bronze

basic nat not working

Please add inspect icmp:

policy-map global_policy

class inspection_default

     inspect icmp

New Member

basic nat not working

Hi Jennifer thank you

my that did not fix my issue.  I can ping my inside hosts from the ASA without specifying an interface and I can ping public ip addresses without specifying an interface

It appears my internal hosts cant reach the internet ,  if i try to ping 208.67.222.222( public dns) from my internal host 192.168.1.20,( server,)  i get no response. 

any ideas?

basic nat not working

Hello Alex,

Can you provide us the Ipconfig from your PC.

As Jennifer stated you were missing the ICMP stateful inspection, now that you have it you should be able to ping it.

Also provide us the following:

packet-tracer input inside icmp 192.168.1.20 8 0 4.2.2.2

Also add the following capture

capture asp type asp-drop all

Then try to ping from your PC  to 4.2.2.2 and finally provide us the output of :

show capture asp | include 4.2.2.2

Regards,

Julio

Security Engineer

Do rate all the helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

basic nat not working

Hi Julio ,t hanks for responding,  attached is my  packet-tracert configuration

packet tracert output

packet-tracer input  inside icmp 192.168.1.20 8 0 4.2.2$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

  match ip inside 192.168.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 ( [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.1.20/0 to /4 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

  match ip inside 192.168.1.0 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

( is this  the issue here?)

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 71, packet dispatched to next module

Phase: 12

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop using egress ifc outside

adjacency Active

next-hop mac address 0026.f324.ba24 hits 294

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

New Member

basic nat not working

Here is my show nat

show nat

NAT policies on Interface inside:

  match ip inside 192.168.1.0 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside 192.168.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 ( [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

  match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

New Member

basic nat not working

THe ipconfig on my linux server is

192.168.1.20

255.255.255.0

192.168.1.1 (cisco asa)

dns 208.67.222.222

basic nat not working

Hello Alex,

As you marked on the packet tracer that is the issue, there is no translation for those packets..

You are running a very old version but I have not see any bugs related to the ASA to apply the proper translation when the protocol its ICMP...

Is it possible that you could do a hard reload, if this does not solve it I will look into our database for a bug or something related to this odd behavior,

Regards,

Julio

Rate all the helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

basic nat not working

Hi All - thanks for responding,  i fixed the issue by upgrading to asa843.   I then configured nat with the following an d poof! it worke.  

object network  obj-

nat (inside,outside) dynamic interface  

Thanks

basic nat not working

Hello Alex,

Thanks for letting us know the solution 

Please mark the question as answered so future users can learn from the same issue you had.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

basic nat not working

Thanks Julio - i do need help with acl issue, if you can take a look at that, i would appreciat it. Its a new thread,

New Member

basic nat not working

Upgrade the asdm image too.

1089
Views
0
Helpful
11
Replies