Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Fun with NAT on ASA

If  a host on 192.168.1.x, the inside interface tries to ping a host on 192.168.10.x (a network behind a router which is connected 6.1)

The ASA returns:

Jan 23 2010 10:17:58: %ASA-3-305006: portmap translation creation failed for icmp src inside:192.168.1.3 dst inside:192.168.10.22 (type 8, code 0)

and the ping fails.

If you try to ping directly from the ASA you get a similar result:

#ping 192.168.10.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.22, timeout is 2 seconds:
Jan 23 2010 10:20:35: %ASA-4-313004: Denied ICMP type=0, from laddr 192.168.1.6 on interface inside to 192.168.1.1: no matching session

Seems to me this should work right out of the box, suggestions?

<config snip>

name 192.168.10.0 Cowacella description named after thomas J's Monticello with a cow twist

access-list inside_access_in_1 extended permit ip any any

nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in_1 in interface inside
route inside Cowacella 255.255.255.0 192.168.1.6 1

Everyone's tags (2)
4 REPLIES
Community Member

Re: Fun with NAT on ASA

I failed to mention, I have "same-security-traffic permit intra-interface" enabled as well.

Cisco Employee

Re: Fun with NAT on ASA

Hello,

You are running into assymetric routing scenario over here.

Either you can set the default gateway of hosts on all subnets to be the 6.1 (router) & have its default gateway set to the ASA inside ifc OR if you real,ly wanna keep the ASA as everybody's default gateway, then you can use the tcp-state-bypass feature introduced in 8.2 release of code for ASA, so that assymetric situation here can be handled correctly by ASA.

Check it out at the release notes :

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

HTH

Vijaya

Community Member

Re: Fun with NAT on ASA

It is really simple my firend,

all you need to do is to put a static command

static (inside,inside) 192.168.1.x 192.168.1.x

have a look on the attached file to understand the scenario in a better way..........:)

Regards,

Sachin Vaish

Cisco Employee

Re: Fun with NAT on ASA

Hello,

Making the firewall inside ifc proxy arp for inside hosts using global (inside) 1 ifc statement along with the Identity static translation for destination

command was a workaround we used PRE 8.2 era.. Anyways, I would  suggest the usage of solution  (tcp-state-bypass feature) in the 8.2 + codes.

Thanks,

Vijaya

8020
Views
0
Helpful
4
Replies
CreatePlease to create content