Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25948
Views
10
Helpful
4
Replies

NAT faddr,gaddr,laddr

Go to solution
mahesh18
Level 6
Level 6

‎03-05-2014 12:12 PM - edited ‎03-11-2019 08:54 PM

Hi Everyone,

Need to understand logs below

Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user )

Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:

I am pinging from PC IP 10.0.0.52 connected to ASA using Remote VPN to IP 192.168.50.1.

IP 192.168.50.1 is connected to inside interface of ASA.

As per logs i can say 10.0.0.0.52 is Foreign address?

when ping come from IP 10.0.0.52 it gets translated to global addess 192.168.50.1?

Then again its translated to local address 192.168.50.1?

Regards

Mahesh

1 person had this problem
Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-05-2014 12:43 PM

Mahesh

faddr = foreign address = your PC 10.0.0.52

gaddr = global address =  the IP the real IP has been changed to with NAT (if it has) 

laddr = local address = the real IP

note in this case the global and the local are the same address.

Jon

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mahesh18

‎03-05-2014 02:57 PM

Mahesh

So as i have NAT exempt from inside to outside.As per my logs on the original post traffic is coming from the outside

to inside so in this no address is changed?

Yes no NAT translation is done because you don't have a NAT translation for that specific traffic.

So i can say that Global address=192.168.50.1=Real IP=Local address?

Yes, the local IP is the same as the global IP  because again you are are not translating this address.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-05-2014 12:43 PM

Mahesh

faddr = foreign address = your PC 10.0.0.52

gaddr = global address =  the IP the real IP has been changed to with NAT (if it has) 

laddr = local address = the real IP

note in this case the global and the local are the same address.

Jon

Go to solution
mahesh18
Level 6
Level 6
In response to Jon Marshall

‎03-05-2014 02:49 PM

Hi John,

I have below NAT Exempt config

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup

So when you say

gaddr = global address = the IP the real IP has been changed to with NAT (if it has)

So as i have NAT exempt from inside to outside.As per my logs on the original post traffic is coming from the outside

to inside so in this no address is changed?

So i can say that Global address=192.168.50.1=Real IP=Local address?

Second thing need to know is my NAT exempt is 10.0.0.0 subnet for inside to outside but here i am comong from source IP 10.0.0.52  going to IP 192.168.50.1 from outside so how does NAT exempt work here?

Regards

Mahesh

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mahesh18

‎03-05-2014 02:57 PM

Mahesh

So as i have NAT exempt from inside to outside.As per my logs on the original post traffic is coming from the outside

to inside so in this no address is changed?

Yes no NAT translation is done because you don't have a NAT translation for that specific traffic.

So i can say that Global address=192.168.50.1=Real IP=Local address?

Yes, the local IP is the same as the global IP  because again you are are not translating this address.

Jon

0 Helpful

Go to solution
mahesh18
Level 6
Level 6

‎03-05-2014 05:43 PM

Hi Jon,

Many thanks for clearing all my doubts now i have better understanding of the concept.

Best Regards

MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card