Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dynamic NAT ASA 8.4 Packet Tracer not working

Hi guys,

I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.

Thanks!

 

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.10.10.2 255.0.0.0

!

object network inside-subnet

subnet 192.168.1.0 255.255.255.0

!

!

!

!

object network inside-subnet

nat (inside,outside) dynamic interface

!

!

!

!

!

!

!

telnet timeout 5

ssh timeout 5

!

dhcpd address 192.168.1.5-192.168.1.35 inside

!

dhcpd auto_config outside

!

!

!

!

!

7 REPLIES
New Member

..

..

VIP Purple

For pinging through the ASA

For pinging through the ASA you need to enable ICMP-inspection:

policy-map global_policy
  class inspection_default
    inspect icmp

Based on the shown config it should work. If not, show your full config and tell us how you are exactly testing.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Green

Thats inspect icmp....not

Thats inspect icmp....not inspect ftp  ;-)

But if that does not work, you may want to try to add an ACL to the outside interface allowing ICMP replies.

access-list TEST permit icmp any any echo-reply

access-group TEST in interface outside

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Purple

> Thats inspect icmp....not

> Thats inspect icmp....not inspect ftp  ;-)

OMG ... I had an ASA-window open and so i copied it instead of typing. And then I forgot to change the inspect ... I corrected it in my post.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Green

:-D

:-D

-- Please remember to rate and select a correct answer
New Member

Thanks guys. I'm one step

Thanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working. 

Does anyone have a suggestion? My updated config is below.

Thanks!

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.0.1 255.0.0.0

!

object network inside-subnet

subnet 192.168.1.0 255.255.255.0

object network outside-subnet

subnet 10.0.0.0 255.0.0.0

!

!

access-list TEST extended permit icmp any any echo-reply

access-list TEST extended permit tcp any any eq www

access-list http extended permit tcp any any eq www

access-list http2 extended permit udp any any eq www

!

!

access-group TEST in interface outside

object network inside-subnet

nat (inside,outside) dynamic interface

!

!

!

!

!

!

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.35 inside

dhcpd enable inside

!

!

!

!

!

VIP Green

you need a more specific NAT

you need a more specific NAT for that.  You can do that one of two ways:

object network WWW-SERVER
  host 10.0.0.6
nat (inside,outside) static interface service tcp www www

or

object service WEB
  service tcp destination eq http

nat (inside,outside) source static WWW-SERVER interface service WEB WEB

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
939
Views
5
Helpful
7
Replies