Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 6.3 NAT to ASA 9.1

We are migrating from PIX 6.3 to ASA 9.1. Having issues with NAT and hoping someone can help.

Existing PIX-

access-list CUSTOMER permit ip any 202.x.x.z 255.255.255.0

access-list CUSTOMER permit ip any 202.x.y.z 255.255.255.0

nat (inside) 1000 access-list CUSTOMER 0 0

static (inside,outside) DMZHOST1 INTHOST1 netmask 255.255.255.255 0 0

static (inside,outside) DMZHOST2 INTHOST2 netmask 255.255.255.255 0 0

static (inside,outside) DMZHOST3 INTHOST3 netmask 255.255.255.255 0 0

static (inside,outside) DMZHOST4 INTHOST4 netmask 255.255.255.255 0 0

Our failed ASA attempt-

object-group network CUSTOMER

network-object 202.x.x.z 255.255.255.0

network-object 202.x.y.z 255.255.255.0

object-group network DMZHOST1

network-object host DMZHOST1

object-group network DMZHOST2

network-object host DMZHOST2

object-group network DMZHOST3

network-object host DMZHOST3

object-group network DMZHOST4

network-object host DMZHOST4

object-group network INTHOST1

network-object host INTHOST1

object-group network INTHOST2

network-object host INTHOST2

object-group network INTHOST3

network-object host INTHOST3

object-group network INTHOST4

network-object host INTHOST4

nat (inside,outside) source static INTHOST1 DMZHOST1 destination static CUSTOMER CUSTOMER 

nat (inside,outside) source static INTHOST2 DMZHOST2 destination static CUSTOMER CUSTOMER 

nat (inside,outside) source static INTHOST3 DMZHOST3 destination static CUSTOMER CUSTOMER 

nat (inside,outside) source static INTHOST4 DMZHOST4 destination static CUSTOMER CUSTOMER

We are getting hits on the ACL and hits on the translations but the customer can't connect.

Any help is appreciated.

1 REPLY
Silver

PIX 6.3 NAT to ASA 9.1

Are you getting hits after you run a packet-tracer or with real traffic???

Can you tell me if this is TCP/UDP what type of protocol port you are using

Setup a capture to see the conversation and run logs:

CLI

enable

config t

logging on

logging asdm debugging

Log into ASDM and do the next:

Go to monitoring

logging

Real time log viewer

When you are there filter the source IP from where they are connecting

At the of the real time log viewer it has an option to save the logs to a text file, save them and post them, if you want to edit them that is up to you but it will be harder to resolve.

Captures:

capture in interface inside match ip host Customer_ip host DMZHOST1_IP

capture out interface outside match ip host Customer_ip host HOST1_IP

Download the captures through a web browser:

https://ASA_inside_IP/capture/in/pcap

https://ASA_inside_IP/capture/out/pcap

It will ask you for your logging credentials, if for example you don´t have a user defined it will ask you for just your enable password.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
93
Views
0
Helpful
1
Replies
CreatePlease to create content