Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Want to NAT into a single IP address

I have configured 5 interfaces Inside, Outside, DMZ, Branch_Offices and Management (This one as security level 100 to connect to another network). I need to NAT into a single IP everything from Inside and from Branch_Offices into Management. I need to use Interface IP Address because on the other network permission is assigned for this IP only. 

Any Suggestions? Here's the config

 

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name

enable password 6Jfo5anznhoG00fM encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address XXX.YYY.ZZZ.123 255.255.255.248

!

interface Ethernet0/1

 nameif Branch_Office

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

 nameif DMZ

 security-level 10

 ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.0.2 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.200.2 255.255.255.252

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network POSLINKSER

 network-object host 192.168.41.101

 network-object host 192.168.41.102

 network-object host 192.168.41.103

 network-object host 192.168.41.104

 network-object host 192.168.41.105

 network-object host 192.168.41.106

 network-object host 192.168.27.101

 network-object host 192.168.27.102

 network-object host 192.168.27.103

 network-object host 192.168.27.104

 network-object host 192.168.27.105

 network-object host 192.168.27.106

 network-object host 192.168.42.101

 network-object host 192.168.42.102

 network-object host 192.168.42.103

 network-object host 192.168.42.104

 network-object host 192.168.42.105

 network-object host 192.168.42.106

 network-object host 192.168.23.101

 network-object host 192.168.23.102

 network-object host 192.168.23.103

 network-object host 192.168.23.104

 network-object host 192.168.23.105

 network-object host 192.168.23.106

 network-object host 192.168.39.101

 network-object host 192.168.39.102

 network-object host 192.168.39.103

 network-object host 192.168.39.104

 network-object host 192.168.39.105

 network-object host 192.168.39.106

 network-object host 192.168.40.101

 network-object host 192.168.40.102

 network-object host 192.168.40.103

 network-object host 192.168.40.104

 network-object host 192.168.40.105

 network-object host 192.168.40.106

 network-object host 192.168.0.62

object-group service RDP tcp

 port-object eq 3389

access-list dmz_in extended permit ip host 172.16.31.2 any

access-list dmz_in extended permit tcp host 172.16.31.2 any

access-list dmz_in extended permit udp host 172.16.31.2 any

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit udp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq pop3

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq echo

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list Inside extended permit tcp any any

access-list Inside extended permit udp any any

access-list 100 extended permit ip any host XXX.YYY.ZZZ.122

access-list 100 extended permit tcp any host XXX.YYY.ZZZ.122

access-list 100 extended permit udp any host XXX.YYY.ZZZ.122

access-list 100 extended permit tcp host XXX.YYY.ttt.162 host XXX.YYY.ZZZ.124 obje

ct-group RDP

access-list 100 extended permit tcp any host XXX.YYY.ZZZ.125 object-group RDP

access-list linkser extended permit ip 193.168.1.0 255.255.255.0 192.168.0.0 255

.255.0.0

access-list linkser extended permit ip 192.168.0.0 255.255.0.0 193.168.1.0 255.2

55.255.0

access-list netflow-export extended permit ip any any

access-list outside_access_in extended permit tcp any host XXX.YYY.ZZZ.125 eq 338

9 log

access-list outside_access_in extended permit tcp any host 192.168.0.25 eq 3389

log

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination Inside 192.168.0.55 9996

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu Outside 1500

mtu Branch_Office 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 192.168.0.43 Outside

icmp permit any Outside

icmp permit any DMZ

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

global (DMZ) 101 interface

global (management) 101 interface

nat (Branch_Office) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0

static (DMZ,Outside) XXX.YYY.ZZZ.122 172.16.31.2 netmask 255.255.255.255 dns

static (Branch_Office,Inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.18.0 192.168.18.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.24.0 192.168.24.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.41.0 192.168.41.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

static (Inside,Outside) XXX.YYY.ZZZ.125 192.168.0.25 netmask 255.255.255.255

static (Branch_Office,Inside) 192.168.42.0 192.168.42.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.47.0 192.168.47.0 netmask 255.255.255.0

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 XXX.YYY.ZZZ.121 20

route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.1.0.0 255.255.192.0 192.168.2.2 1

route Branch_Office 192.168.18.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.24.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.31.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.40.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.41.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.42.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.47.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1

route Branch_Office 193.168.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet XXX.YYY.ttt.160 255.255.255.248 Outside

telnet 0.0.0.0 0.0.0.0 Branch_Office

telnet 172.16.31.0 255.255.255.0 DMZ

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username eguerra password dr6zkC4iOPQHLH5f encrypted privilege 15

!

class-map netflow-export-class

 match access-list netflow-export

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

 class netflow-export-class

  flow-export event-type all destination 192.168.0.55

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5348605d189f72458cc23bac225698be

: end

ASAFCHFW#

  • Firewalling
9 REPLIES
VIP Green

does the setup work for

does the setup work for inside to management, but you are having issues from branch office to management?

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

It does not work neither for

It does not work neither for Inside or Branch_Offices. I cannot reach from anywhere but if i connect cable direct to a PC and assign IP address i can reach that network

VIP Green

Run a packet tracer and see

Run a packet tracer and see if that tells you where the packet is being stopped:

packet-tracer input inside tcp <inside host IP> 12345 <management host IP> 80 detail

packet-tracer input Branch_Office tcp <Branch_Office host IP> 12345 <management host IP> 80 detail

Post the output here.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Here are the answers:Result

Here are the answers:

Result of the command: "packet-tracer input inside tcp 192.168.0.50 12345 192.168.200.1 80 detail"
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab876b98, priority=1, domain=permit, deny=false
hits=1360068933, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
 
Phase: 2
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.200.0   255.255.255.252 management
 
Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab877400, priority=2, domain=permit, deny=false
hits=1026969, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8793a8, priority=0, domain=permit-ip-option, deny=true
hits=2627387, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 6
Type: 
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac268b00, priority=17, domain=flow-export, deny=false
hits=1865794, user_data=0xac24dbc0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  match ip Inside 192.168.0.0 255.255.255.0 DMZ any
    static translation to 192.168.0.0
    translate_hits = 23871, untranslate_hits = 5933
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab94dca0, priority=5, domain=host, deny=false
hits=2829359, user_data=0xab94d0a0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.0.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 8
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
  match ip Inside any management any
    dynamic translation to pool 101 (192.168.200.2 [Interface PAT])
    translate_hits = 11179, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.0.50/12345 to 192.168.200.2/58950 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xab948d68, priority=1, domain=nat, deny=false
hits=11178, user_data=0xab948ca8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (management) 101 0.0.0.0 0.0.0.0
  match ip management any Inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xab4b41d8, priority=1, domain=nat-reverse, deny=false
hits=11178, user_data=0xac737b68, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
Result of the command: "packet-tracer input inside tcp 192.168.0.50 12345 192.168.200.1 80 detail"
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab876b98, priority=1, domain=permit, deny=false
hits=1360068933, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
 
Phase: 2
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.200.0   255.255.255.252 management
 
Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab877400, priority=2, domain=permit, deny=false
hits=1026969, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8793a8, priority=0, domain=permit-ip-option, deny=true
hits=2627387, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 6
Type: 
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac268b00, priority=17, domain=flow-export, deny=false
hits=1865794, user_data=0xac24dbc0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  match ip Inside 192.168.0.0 255.255.255.0 DMZ any
    static translation to 192.168.0.0
    translate_hits = 23871, untranslate_hits = 5933
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab94dca0, priority=5, domain=host, deny=false
hits=2829359, user_data=0xab94d0a0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.0.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 8
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
  match ip Inside any management any
    dynamic translation to pool 101 (192.168.200.2 [Interface PAT])
    translate_hits = 11179, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.0.50/12345 to 192.168.200.2/58950 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xab948d68, priority=1, domain=nat, deny=false
hits=11178, user_data=0xab948ca8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (management) 101 0.0.0.0 0.0.0.0
  match ip management any Inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xab4b41d8, priority=1, domain=nat-reverse, deny=false
hits=11178, user_data=0xac737b68, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
 
 
 
Result of the command: "packet-tracer input Branch_Office tcp 192.168.26.10 12345 192.168.200.1 80 detail"
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab7f5c98, priority=1, domain=permit, deny=false
hits=2545039495, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
 
Phase: 2
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.200.0   255.255.255.252 management
 
Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab7f6500, priority=2, domain=permit, deny=false
hits=895169, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab7f84a8, priority=0, domain=permit-ip-option, deny=true
hits=1929410, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 6
Type: 
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac268480, priority=17, domain=flow-export, deny=false
hits=982647, user_data=0xac24dbc0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0 
  match ip Branch_Office 192.168.26.0 255.255.255.0 Inside any
    static translation to 192.168.26.0
    translate_hits = 47339, untranslate_hits = 26257
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab96bd48, priority=5, domain=host, deny=false
hits=62871, user_data=0xab96b148, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.26.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 8
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (Branch_Office) 101 0.0.0.0 0.0.0.0
  match ip Branch_Office any management any
    dynamic translation to pool 101 (192.168.200.2 [Interface PAT])
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.26.10/12345 to 192.168.200.2/19406 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xab945368, priority=1, domain=nat, deny=false
hits=0, user_data=0xab9452a8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (management) 101 0.0.0.0 0.0.0.0
  match ip management any Branch_Office any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xac6b4578, priority=1, domain=nat-reverse, deny=false
hits=0, user_data=0xac6f4a38, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Result:
input-interface: Branch_Office
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
VIP Green

I suggest changing you NAT

I suggest changing you NAT statements to the following:

global (Outside) 101 interface

global (DMZ) 102 interface

global (management) 103 interface

nat (Branch_Office) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

nat (Branch_Office) 102 0.0.0.0 0.0.0.0

nat (Inside) 102 0.0.0.0 0.0.0.0

nat (management) 102 0.0.0.0 0.0.0.0

nat (Branch_Office) 103 0.0.0.0 0.0.0.0

nat (Inside) 103 0.0.0.0 0.0.0.0

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Cannot add 102 and 103 NAT,

Cannot add 102 and 103 NAT, Here's the output:

 

ASAFCHFW(config)# nat (Branch_Office) 102 0.0.0.0 0.0.0.0
Duplicate NAT entry
ASAFCHFW(config)# nat (Inside) 102 0.0.0.0 0.0.0.0
Duplicate NAT entry

VIP Green

Sorry I forgot to mention you

Sorry I forgot to mention you need to remove the old configuration before you enter the new ones.  So do this in during a service window so you can have some down time.

Remember to take a backup of the old configuration in case you need to rollback

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Marius, I can ping 192.168

Marius, I can ping 192.168.200.1 from ASA now but i cannot ping from inside network

Here's the config

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xxx.yyy.zzz.123 255.255.255.248

!

interface Ethernet0/1

 nameif Branch_Office

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

 nameif DMZ

 security-level 10

 ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.0.2 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.200.2 255.255.255.252

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

 port-object eq 3389

object-group network Subredes

 network-object 192.168.10.0 255.255.255.0

 network-object 192.168.11.0 255.255.255.0

 network-object 192.168.12.0 255.255.255.0

 network-object 192.168.13.0 255.255.255.0

 network-object 192.168.14.0 255.255.255.0

 network-object 192.168.15.0 255.255.255.0

 network-object 192.168.16.0 255.255.255.0

 network-object 192.168.17.0 255.255.255.0

 network-object 192.168.18.0 255.255.255.0

 network-object 192.168.19.0 255.255.255.0

 network-object 192.168.20.0 255.255.255.0

 network-object 192.168.21.0 255.255.255.0

 network-object 192.168.22.0 255.255.255.0

 network-object 192.168.23.0 255.255.255.0

 network-object 192.168.24.0 255.255.255.0

 network-object 192.168.25.0 255.255.255.0

 network-object 192.168.26.0 255.255.255.0

 network-object 192.168.27.0 255.255.255.0

 network-object 192.168.28.0 255.255.255.0

 network-object 192.168.29.0 255.255.255.0

 network-object 192.168.30.0 255.255.255.0

 network-object 192.168.31.0 255.255.255.0

 network-object 192.168.32.0 255.255.255.0

 network-object 192.168.33.0 255.255.255.0

 network-object 192.168.34.0 255.255.255.0

 network-object 192.168.35.0 255.255.255.0

 network-object 192.168.36.0 255.255.255.0

 network-object 192.168.37.0 255.255.255.0

 network-object 192.168.38.0 255.255.255.0

 network-object 192.168.39.0 255.255.255.0

 network-object 192.168.40.0 255.255.255.0

 network-object 192.168.41.0 255.255.255.0

 network-object 192.168.42.0 255.255.255.0

 network-object 192.168.43.0 255.255.255.0

 network-object 192.168.44.0 255.255.255.0

 network-object 192.168.45.0 255.255.255.0

 network-object 192.168.46.0 255.255.255.0

 network-object 192.168.47.0 255.255.255.0

 network-object 192.168.48.0 255.255.255.0

 network-object 192.168.49.0 255.255.255.0

 network-object 192.168.50.0 255.255.255.0

 network-object 192.168.51.0 255.255.255.0

 network-object 192.168.52.0 255.255.255.0

 network-object 192.168.53.0 255.255.255.0

access-list dmz_in extended permit ip host 172.16.31.2 any

access-list dmz_in extended permit tcp host 172.16.31.2 any

access-list dmz_in extended permit udp host 172.16.31.2 any

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit udp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq pop3

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq echo

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list Inside extended permit tcp any any

access-list Inside extended permit udp any any

access-list 100 extended permit ip any host xxx.yyy.zzz.122

access-list 100 extended permit tcp any host xxx.yyy.zzz.122

access-list 100 extended permit udp any host xxx.yyy.zzz.122

access-list 100 extended permit tcp any host xxx.yyy.zzz.125 object-group RDP

access-list linkser extended permit ip 193.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list linkser extended permit ip 192.168.0.0 255.255.0.0 193.168.1.0 255.255.255.0

access-list netflow-export extended permit ip any any

access-list outside_access_in extended permit tcp any host xxx.yyy.zzz.125 eq 3389 log

access-list outside_access_in extended permit tcp any host 192.168.0.25 eq 3389 log

access-list AlianzaNET extended permit ip object-group Subredes 192.168.200.0 255.255.255.252

access-list AlianzaNET extended permit ip 192.168.200.0 255.255.255.252 192.168.0.0 255.255.128.0

access-list AlianzaNET extended permit ip 192.168.0.0 255.255.128.0 192.168.200.0 255.255.255.252

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination Inside 192.168.0.55 9996

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu Outside 1500

mtu Branch_Office 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 192.168.0.43 Outside

icmp permit any Outside

icmp permit any DMZ

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

global (DMZ) 101 interface

global (management) 102 interface

nat (Branch_Office) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (management) 102 0.0.0.0 0.0.0.0

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0

static (DMZ,Outside) xxx.yyy.zzz.122 172.16.31.2 netmask 255.255.255.255 dns

static (Branch_Office,Inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.18.0 192.168.18.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.24.0 192.168.24.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.41.0 192.168.41.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

static (Inside,Outside) xxx.yyy.zzz.125 192.168.0.25 netmask 255.255.255.255

static (Branch_Office,Inside) 192.168.42.0 192.168.42.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.47.0 192.168.47.0 netmask 255.255.255.0

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.121 20

route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.1.0.0 255.255.192.0 192.168.2.2 1

route Branch_Office 192.168.18.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.24.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.31.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.40.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.41.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.42.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.47.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1

route Branch_Office 193.168.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 Outside

telnet 0.0.0.0 0.0.0.0 Branch_Office

telnet 172.16.31.0 255.255.255.0 DMZ

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username eguerra password dr6zkC4iOPQHLH5f encrypted privilege 15

!

class-map netflow-export-class

 match access-list netflow-export

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

 class netflow-export-class

  flow-export event-type all destination 192.168.0.55

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9b94ab60ff7bf936ff1f1c4b36c25670

: end

VIP Green

You need to remove the old

You need to remove the old dynamic NAT commands first and then reapply the new ones

Here they are again:

global (Outside) 101 interface

global (DMZ) 102 interface

global (management) 103 interface

nat (Branch_Office) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

nat (Branch_Office) 102 0.0.0.0 0.0.0.0

nat (Inside) 102 0.0.0.0 0.0.0.0

nat (management) 102 0.0.0.0 0.0.0.0

nat (Branch_Office) 103 0.0.0.0 0.0.0.0

nat (Inside) 103 0.0.0.0 0.0.0.0

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
80
Views
0
Helpful
9
Replies
This widget could not be displayed.