01-30-2012 04:36 AM - edited 03-11-2019 03:20 PM
Hi All,
In dire need of the experts help here
I've configured static NAT on the FWSM and the command is as below:
static (inside,outside) 202.154.69.240 10.150.18.15 netmask 255.255.255.255
static (inside,outside) 202.154.69.241 10.150.44.28 netmask 255.255.255.255
Obviously, the connectivity from LAN server to the Internet destination doesn't work. Access lists have been configured and everything that's needed is being allowed. I verified with packet capture.
But the NAT translation doesn't seem to work. I ran a debug and this is what I got.
FWSM/fvxxxx# sh xlate debug local 10.150.18.15
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
1097 in use, 13439 most used
NAT from inside:10.150.18.15 to outside:10.150.18.15 flags Ii idle 0:01:40 timeout 3:00:00 connections 0
FWSM/fvxxxx# sh xlate debug local 10.150.44.28
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
1110 in use, 13439 most used
NAT from inside:10.150.44.28 to outside:10.150.44.28 flags Ii idle 0:00:08 timeout 3:00:00 connections 1
Why isn't it being translated??
01-30-2012 05:52 AM
Can you post your configuration ? Also what you are trying to access from LAN .
Post your capture.
Thanks
Ajay
01-30-2012 06:47 PM
Hi Ajay,
Due to security issues, I can't post the full config, but I'll show you the ones related to this.
conf t
object-group network 3PAR-SP-Internal
network-object host 10.150.18.15
network-object host 10.150.44.28
!
object-group network 3PAR-Portal-External
network-object host 66.126.187.144
!
object-group network 3PAR-Collector-External
network-object host 66.126.187.154
!
object-group network 3PAR-SP-NAT-Internal
network-object host 202.154.69.240
network-object host 202.154.69.240
!
access-list acl-outside extended permit tcp object-group 3PAR-Portal-External object-group 3PAR-SP-NAT-Internal eq 22
access-list acl-inside extended permit tcp object-group 3PAR-SP-Internal object-group 3PAR-Portal-External eq 22
access-list acl-inside extended permit tcp object-group 3PAR-SP-Internal object-group 3PAR-Collector-External eq 443
access-list acl-inside extended permit icmp object-group 3PAR-SP-Internal object-group 3PAR-Collector-External echo
!
static (inside,outside) 202.154.69.240 10.150.18.15 netmask 255.255.255.255
static (inside,outside) 202.154.69.241 10.150.44.28 netmask 255.255.255.255
Here's the packet capture:
FWSM/fvxxxx# sh cap out
8 packets seen, 8 packets captured
1: 10:38:53.467173008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 675798721:675798721(0) win 5840
2: 10:38:56.467176008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 675798721:675798721(0) win 5840
3: 10:39:02.467182008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 675798721:675798721(0) win 5840
4: 10:39:14.467194008 802.1Q vlan#136 P0 10.150.18.15.58194 > 66.126.187.144.22: S 1606688849:1606688849(0) win 5840
5: 10:39:21.467201328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840
6: 10:39:24.467204328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840
7: 10:39:30.467210328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840
8: 10:39:42.467222328 802.1Q vlan#136 P0 10.150.44.28.53601 > 66.126.187.144.22: S 4245408730:4245408730(0) win 5840
8 packets shown
01-30-2012 07:16 PM
hi,
What is the ASA version?
Sent from Cisco Technical Support iPad App
01-30-2012 07:49 PM
Hi,
It's not an ASA FW. It's a FWSM module in a Cisco 6513 chassis.
The version is 3.2(13)
01-31-2012 09:44 PM
Hello Nirmal,
Obviusly you are seeing the same packets on the inside interface so definitly its an issue with the nat.
Please provide the following:
-packet-tracer input inside tcp 10.150.18.15 1025 66.126.187.144 22
Regards,
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide