Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Translations Fail After Updating IP Addresses

I'm working on an ASA that currently sits behind another device that the ISP equipment terminates on.  The device has the real external addresses for the network (A.B.C.100) and it has a private range of for the internal network.  The ASA in turn has an outside address of and it's default route sends all traffic to the 0.100 address which forwards it on.  I've been asked to remove the extra device and just have the ISP terminate directly on the ASA.  When I do this and assign the ASA the public address my internal clients are all able to get out as normal.  I removed the outside_in access-list and recreated it, substituting A.B.C. in any place that 10.0.0. was previously.  I also did the same with the static translations and I did a "clear xlate" and a "clear local-host all" after removing the old translations and adding the new ones.  For some reason at least 3 of the servers that have a 1-to-1 translation are no longer able to access the internet once I add the static translation.  I've included the nat and global statements and the access-lists they reference in case it helps.  I can post the entire sanitized config if needed.

interface Ethernet0/1
nameif inside
security-level 100
ip address

global (outside) 1 interface
global (outside) 2 A.B.C.180 netmask
nat (outside) 0 access-list outsidenat
nat (outside) 2 access-list vpnnat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1

access-list outside_in remark Websense Email Security Filter
access-list outside_in extended permit tcp any host A.B.C.190 eq smtp
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list extended extended deny ip
access-list vpnnat extended permit ip any

access-list outsidenat extended permit ip

access-group outside_in in interface outside

static (inside,outside) A.B.C.190 netmask

The server has a switch as it's gateway, but that switch has it's default route as the ASA (all our internal clients are set this way, but I can change the server if needed).

Everyone's tags (2)

Translations Fail After Updating IP Addresses

Hi Bro

Can you add these lines and tell me what works and what doesn't

access-list inside permit ip any any

access-group inside in interface inside

no global (outside) 2 A.B.C.180 netmask
no nat (outside) 0 access-list outsidenat
no nat (outside) 2 access-list vpnnat

P/S: If yo think this comment is useful, please do rate it nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

Translations Fail After Updating IP Addresses

I had tried removing the nat (outside) statements and it didn't work as far as I remember.  I know the 2nd nat statement is used for their vpn clients to have access to the internet through the ASA.  I'll try to add the access-list entry the next time I make an attempt at this as well.  After reverting the changes last time I was made aware that there is a 4-port Linksys switch upstream of the load-balancer and ASA; so the connection goes ISP --> Linksys --> Load-Balancer (to be removed) --> ASA.  I was thinking next time I will reboot the Linksys in case it has any stale mac entries referencing the load balancer.  This config only has the inside and outside and the inside hosts are translated to their outside address via static statements (just did a 1-to-1 since there are available ips and this is how it presently is set up).

Translations Fail After Updating IP Addresses

Hi David,

When you give sh xlate or sh nat is there everything shows correctly. I mean the translated hits for the servers like smtp ????

does they resides in a separate zone??? like dmz.

for smtp if it sits in the inside zone then you can do a static nat

static (inside,outside) a.b.c.180 25 25

Please do rate if the given information helps.



CreatePlease to create content