Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT Rule Blocking Traffic?

I am pretty confused about a firewall setup I inherited that is causing me some problems. It's an ASA 5505 configured with the standard Inside and Outside networks, plus a DMZ and a Test LAN. I am trying to get a backup solution configured that of course requires agents installed on the hosts to talk to the central console. The central console is installed on the DMZ in the network. The server with the agent is installed on the Test network. I added an ACL via the ADSM as follows:

access-list TEST_access_in line 3 extended permit object-group DM_INLINE_PROTOCOL_2 host any
  access-list TEST_access_in line 3 extended permit ip host any
  access-list TEST_access_in line 3 extended permit icmp host any
  access-list TEST_access_in line 3 extended permit tcp host any

When I tested this through the packet trace tool, it failed. It says it failed due to the following:

nat (TEST) 1


match ip TEST any inside any

dynamic translation to pool 1 ( [Interface PAT])

translate_hits=2, untranslate_hits=0

I have asolutely no idea what this means. I thought NAT just determined what kind of address translation you have for your unrouteable IPs. I don't know why it would be blocking access between two networks. Can anyone give me some ideas or information about what this is referring to and what I might be doing wrong?

Thanks in advance.

Cisco Employee

Re: NAT Rule Blocking Traffic?

Please post the interface and nat configuration. This is a natting issue. Also, it would be nice if you could post the packet tracer output and the ip addresses you are testing from.


New Member

Re: NAT Rule Blocking Traffic?

Thanks! Here is the config of the interfaces:

interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Vlan3
nameif dmz
security-level 50
ip address
interface Vlan13
nameif TEST
security-level 100
ip address

Here are the NAT statetements:

access-list dmz_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip

global (inside) 1 interface
global (outside) 1 interface
global (dmz) 2 interface
global (TEST) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (dmz) 0 access-list dmz_nat0_outbound
nat (TEST) 1
static (TEST,inside) netmask dns
static (inside,dmz) netmask
static (inside,TEST) netmask
static (TEST,dmz) netmask

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group TEST_access_in in interface TEST

I am trying to connect from IP in the DMZ network to on the inside LAN. With no changes to the configuration from me I do a packet trace from the DMZ. The output is this

I perform the same test on the inside interface, no change made to the existing config, and I get this:

So, I figure I need to add an ACL to prevent the implicit deny rule. I create a rule permitting source to, protocols IP and TCP, and apply it to the inside of the inside interface. I do the same test as before and I get this:

Having thought about this since my post, I do need to mention that the source IP ( has a static NAT to a public IP in the config. So, presumably when traffic from that host leaves the ASA it gets translated to the public IP. I did try changing my ACLs to the public IP instead, but that also didn't work so I doubt that I'm barking up the right tree.

Cisco Employee

Re: NAT Rule Blocking Traffic?

You are not running packet tracer for  the return traffic properly.

If you run it for traffic hitting the inside the sourced will be 192.168.20./24 destined to

The config looks good for this flow..


CreatePlease to create content