Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

STATIC NAT on ASA

Hello Everybody,

I am configure an ASA and i did the pat and nat, the pat is global and all the LAN-POOL is going out through the outside´s ip address, but i have some problems with the static NAT:

Here is the config:

nat-control
global (Outside) 1 interface
nat (Inside) 1 Segmento-LAN 255.255.0.0
static (DMZ,Outside) 200.11.138.12 Server-WWW netmask 255.255.255.255
static (DMZ,Outside) 200.11.138.13 Server-Mail-Interno netmask 255.255.255.255
static (DMZ,Outside) 200.11.138.14 Server-Mail-Externo netmask 255.255.255.255

And here is the error:

3Mar 02 200303:15:33Server-WWWportmap translation creation failed for icmp src Inside:192.168.2.244 dst DMZ:Server-WWW (type 8, code 0)

Any idea, that what could be the cause??

Regards,

  • Firewalling
Everyone's tags (2)
5 REPLIES
Cisco Employee

Re: STATIC NAT on ASA

Hi Katherine,

The reason for these errors is that the ASA cannot find a NAT rule to use for this traffic. Since you have nat-control enabled, you'll need to have a NAT rule to match this traffic.

If you don't want to translate this traffic, you can configure something like the following:

access-list nonat permit ip

nat (inside) 0 access-list nonat

If you do want the traffic to be translated, you could do something like this:

global (DMZ) 1 interface

Hope that helps.

-Mike

Cisco Employee

Re: STATIC NAT on ASA

Hello,

Jut to add something else, the nat-control will make you to do NAT or translation for every packet traversing the firewall from higher to lower. That is why you will need to use either nonat or the global inside, note that if you use the global inside, you will not be able to access internal resources from the DMZ to the inside using their real IP addresses.

If you use nat0 you will be able to access the DMZ plus the DMZ (if there is an access rule applied) will be able to access the inside network.

Hope this helps.

Mike

Mike
New Member

Re: STATIC NAT on ASA

Hi Mike and Mike,

Thanks to your answer I could solve the problem. I did the following:

disable nat-control


And I added this commans:

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 172.16.20.0 255.255.255.0

nat (Inside) 0 access-list nonat

And works!!!

New Member

Re: STATIC NAT on ASA

Hello!! Is me again, like i said before my problem of connectivity between DMZ and Inside was fixed, but i have a little problem, i have the following static nat into DMZ

static (DMZ,outside) 200.11.138.12 172.16.20.10 netmask 255.255.255.255
static (DMZ,outside) 200.11.138.13 172.16.20.11 netmask 255.255.255.255
static (DMZ,outside) 200.11.138.14 172.16.20.12 netmask 255.255.255.255


I can access the servers from outside without problem through the public address, and from the inside I can access throught the private address, but if I try reach the servers from the inside network through the public address of the servers, I do not have access. And I do not have any rule that can blocked the traffic.

Any Idea??

Cisco Employee

Re: STATIC NAT on ASA

Hello Kathy,

Hope you are doing great. If your DNS server is on the outside, you can add the keyword DNS to the each one of the statics you have, or you can add the following lines

static (DMZ,inside) 200.11.138.12 172.16.20.10 netmask 255.255.255.255
static (DMZ,inside) 200.11.138.13 172.16.20.11 netmask 255.255.255.255
static (DMZ,inside) 200.11.138.14 172.16.20.12 netmask 255.255.255.255

That is called destination NAT and you can find more information over here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Hope it helps.

Mike

Mike
660
Views
0
Helpful
5
Replies