Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static NAT on Cisco ASA 9.1

Hi,

I have a requirement of configuring a static NAT and I did the following, correct me if I am wrong.

object network 10.1.1.3
   host 10.1.1.6
   nat (inside,outside) static <Real IP address>

But for some reason the above configuration does not work, any idea ?
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Static NAT on Cisco ASA 9.1

The format of your configuration of NAT is correct:

object network 10.1.1.3

   host 10.1.1.6

   nat (inside,outside) static

Some of the possible reasons that this is not working would be:

1)    That you are configuring Auto NAT and a Manual NAT is taking precedence,

2)    That you are mapping an address that is not on the same range as the external interface and on certain versions of the ASA you are required to add a command so that the ASA can ARP for none directly connected networks (arp permit-nonconnected).

3)    The other option could be that traffic is not reaching the ASA due to an ARP cache on the ISP router for another device and all you need to do is call them and clear the ARP table.

Value our effort and rate the assistance!
8 REPLIES
New Member

Static NAT on Cisco ASA 9.1

Hi HUZEFA,

You can do this way.

object network public

host 200.1.1.1

exit

object network private

host 1.1.1.1

nat(inside,outside) static public

exit

!

VIP Green

Static NAT on Cisco ASA 9.1

which IP are you trying to NAT to?  The object has the name 10.1.1.3 while the the IP you have configured in the object is 10.1.1.6?  Or is this a typo?

Other than that, could you explain a little more indepth on what is not working?  Are you trying to access the host from the outside?

could you run the following command and post it here please

packet-tracer input inside tcp 10.1.1.6 12345 4.2.2.2 80 detail

-- Please remember to rate and select a correct answer
New Member

Static NAT on Cisco ASA 9.1

Thanks Mohd, but still this format does not work.

Silver

Static NAT on Cisco ASA 9.1

The format of your configuration of NAT is correct:

object network 10.1.1.3

   host 10.1.1.6

   nat (inside,outside) static

Some of the possible reasons that this is not working would be:

1)    That you are configuring Auto NAT and a Manual NAT is taking precedence,

2)    That you are mapping an address that is not on the same range as the external interface and on certain versions of the ASA you are required to add a command so that the ASA can ARP for none directly connected networks (arp permit-nonconnected).

3)    The other option could be that traffic is not reaching the ASA due to an ARP cache on the ISP router for another device and all you need to do is call them and clear the ARP table.

Value our effort and rate the assistance!
Silver

Static NAT on Cisco ASA 9.1

Did any of the information given help, can you do me a favor and try to run a packet tracer to see if any other rule is being hit before the NAT rule that you are placing into the configuration:

Something like this:

packet-tracer input inside tcp 10.1.1.6 1025 4.2.2.2 80 detail

Send it over if you still need assistance.

Value our effort and rate the assistance!
New Member

Static NAT on Cisco ASA 9.1

Hi,

Please check previous posts for your Natting issue, at the end make sure that your External ACL should use the 'real ip address' ....just in case

Please attach the packet tracer output as per jumora, it will be very useful

Regards,

Silver

Static NAT on Cisco ASA 9.1

Well, actually the packet tracer was already requested by Marius Gunnerud's but it seems that we have not relpied with the information requested.

Value our effort and rate the assistance!
Silver

Static NAT on Cisco ASA 9.1

Hey so, I can't gave you the correct answer as I helped on the ticket from TAC, sometimes if you can't post outputs because your privacy you need to let us know or close out the support forum and open up a ticket.

Value our effort and rate the assistance!
482
Views
0
Helpful
8
Replies