Hi Julio,

Thats the strange part, this is the entire output of packet no 3.  (exept:  1 packet shown)

Cheers

Okey,

So you are trying to ping from

      172.12.112.12 to  84.17.x.x

I mean those 2 IP addresses are public, are you trying to ping from the ASA outside interface to an outside host or do you have a public address range on your inside?

Can you write down a little diagram of what we are trying to do! cause it looks like you are trying to ping the IP address of the ASA (Used on PAT).

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Aa sorry, my try to obscure the IP, no need really :-)

So,  ping from inside, private IP range, to two servers on 84.17.x.x give me that error when capturing with trace

If I ping from ASA it works.

Cheers

Hello Mikael,

So you are pinging 2 outside servers from the internal network?

Are those 2 servers on the outside world or are they being used for a NAT statement?

Do the following:

Packet-tracer input inside icmp inside_host_ip 8 0  84.17.x.x

Then provide us the output,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Hi Julio,

Thanks for your help

Both servers are on the outside. The serve as an outsourced service for the end customer, and to have some sort of monitoring they use Nagios and ping

The result from simulated pacet tracer are the same as from packet tracer on the actual captured packet.

Do you have an explanation of the result, 'nat-no-xlate-to-pat-pool'? What does it mean?

act/SKL-FW1# Packet-tracer input inside icmp 172.22.10.12 8 0  84.17.x.x

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

act/SKL-FW1#

Cheers

Hi Mashal,

So if I understand right, to get ICMP to work I need an to create an extra NAT for just this translation?

Do you have an example?

Cheers

Hi Mikael,

I already mentioned an example.

I cannot accurately answer your question without seeing your NAT rules. But generally you need to add NAT rule to match the flow since one of the flow's IP addresses matches another xlate.

------------------
Mashal Shboul

Yes, I was thinking of an ICMP example.

And thoes servers I try to ping have both other sessions.

sh xlate

TCP PAT from outside:84.17.x.x  and

NAT from outside:84.17.x.x

I get an error when I try to configure it. Both on object nat and manual NAT.

(probably me missing something here)

ERROR: real service object includes protocol that doesnt match TCP or UDP.

Hello Mashal,

I was not aware of that information

Thanks for the information. Kudos to U

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Hi Mashal,

Tested this last night and it's working now.

Thanks.

Cheers