Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
0
Helpful
2
Replies

NAT doesn't work

Go to solution
Fabio Grasso
Level 1
Level 1

‎05-14-2010 02:32 AM - edited ‎03-11-2019 10:45 AM

Hello all,

I've a problem that is making me crazy.. I've configured a lot of PIX and ASA v. 7, now I'm configuring for the first time an ASA with sw 8.2.

The config that I want to make is very simple: dynamic NAT for the inside client and some static for the server.

The problem is that when I configure the static for the server they don't work and the server stop to surf internet.

my wan side network is xx.xxx.32.59/29 and inside 192.168.9.0/24, the ip assigned to the asa is xx.xxx.32.62 and the wan router of our provider xx.xxx.32.57.

This is the config that I've put:

access-list nat0 extended permit ip 192.168.9.0 255.255.255.0 10.0.9.0 255.255.255.0
access-list acl_out extended permit icmp any any
access-list acl_out extended permit ip MILAN-WAN 255.255.255.224 xx.xxx.32.56 255.255.255.248
access-list acl_out extended permit tcp any host xx.xxx.32.60 object-group Polycom
access-list acl_out extended permit udp any host xx.xxx.32.60 object-group Polycom

nat (inside) 0 access-list nat0
nat (inside) 1 192.168.9.0 255.255.255.0

static (inside,outside) xx.xxx.32.59 192.168.9.106 netmask  255.255.255.255

static (inside,outside) xx.xxx.32.61 192.168.9.101 netmask  255.255.255.255

static (inside,outside) xx.xxx.32.60 192.168.9.33 netmask  255.255.255.255


access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.32.57 1

What's wrong?

Thanks,

   Fabio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-14-2010 02:36 AM

Nothing is wrong as far as the configuration is concern.

Just double check that the router has the mac address of the ASA outside interface for all the virtual ip addresses that you configured on the static NAT statements.

Most times, clear arp on the router OR/ reloading the internet router resolve the issue.

Lastly, I assume that you have not turned off proxy arp on the ASA outside interface. Check "sh run all sysopt", and you should see "no sysopt noproxyarp outside" command.

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-14-2010 02:36 AM

Nothing is wrong as far as the configuration is concern.

Just double check that the router has the mac address of the ASA outside interface for all the virtual ip addresses that you configured on the static NAT statements.

Most times, clear arp on the router OR/ reloading the internet router resolve the issue.

Lastly, I assume that you have not turned off proxy arp on the ASA outside interface. Check "sh run all sysopt", and you should see "no sysopt noproxyarp outside" command.

Hope that helps.

0 Helpful

Go to solution
Fabio Grasso
Level 1
Level 1
In response to Jennifer Halim

‎05-14-2010 02:43 AM

Thanks, adding "no sysopt noproxyarp outside" has solved my problem!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card