Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Beginer NAT question

I've got an ASA 5510 running 8.4

I have a host on an inside interface, with a static NAT configured on the ASA. The inbound/return half of the NAT doesn't appear to be working.

Config summary:

object network nat-test

host 192.168.100.98

access-list outside_in extended permit icmp any host 1.1.1.1

access-list outside_in extended permit tcp any host 1.1.1.1 eq ssh

object network nat-test

nat (phone-support,outside) static 1.1.1.1

access-group outside_in in interface outside

I run a ping from the host (192.168.100.98) to something on the outside (1.2.3.4)

Running captures, I can see the outbound ping leaving, having been NATed OK. I can see the reply coming back in to the outside interface with the correct IP address, but I never get the final NATed packet appear on the inside interface. The packet just disappears inside the ASA.

I'm sure I've had this before, but I can't for the life of me remember what was wrong.

Can anyone put me out of my misery ?

Thanks,

GTG

Please rate all helpful posts.
Everyone's tags (3)
2 REPLIES

Re: Beginer NAT question

Sorted it:

object network nat-test

host 192.168.100.98

object network nat-test-outside

host 1.1.1.1

access-list outside_in extended permit icmp any object nat-test

access-list outside_in extended permit tcp any object nat-test eq ssh

object network nat-test

nat (inside,outside) source static nat-test nat-test-outside

access-group outside_in in interface outside

Basically, you have to use "objects" for both sides of the NAT, *AND* use the inside object on the ACL.

I always thought ACLs came before NAT...?

GTG

Please rate all helpful posts.

Beginer NAT question

GTG,

Yeah that is how it use to be in OS versions earlier then 8.3.  Now they require the object-groups and is a little different.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
319
Views
0
Helpful
2
Replies