Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Binding inside nat statement to outermost interface

Hello,

I think I've achieved ASA misconfiguration somehow.

After adding nat like that:

nat (wifiguest) 1 10.10.27.0 255.255.255.0 I got the warning:

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

*** Output from config line 128, "nat (wifiguest) 1 10.10.....

Do you know what could cause such warnings? I'll attach the configuration.

And something different has happened.

Anytime I want to see sh xlate, I'll get:

0 in use, 0 most used

Global 76.104.93.3 Local 0.0.0.0

Global 76.104.93.3 Local 0.0.0.0, but there no such global nat available, such IP addresses are'nt in the configuration at all

(sh run | in 76. = the result is zero). That IP address changes everytime I reboot ASA device.

I really appreciate any help.

Best regards,

Ada

4 REPLIES
Cisco Employee

Re: Binding inside nat statement to outermost interface

You have this in your config:

interface GigabitEthernet0/0

nameif outside

security-level 100

ip address [omitted]

where you've set the security-level of the outside interface to 100, the least secure it can be. This is a big no-no and I'm pretty sure you didn't mean to do this. Change this to 0 as soon as you can.

Because the outside int has inadvertently been set as the least secure interface, your most secure interface has become "wifiguest" also with a security-level of 0. You don't usually define nat statements for the least secure interface, unless you want to do a function called "outside NAT" which you probably don't if you don't know what it is. This is also what the error message is telling you.

I would recommend setting outside to security-level 0, defining wifiguest to security-level 1, then you'll be able to define a nat/global pair for them to access the outside int as normal.

New Member

Re: Binding inside nat statement to outermost interface

Well, I definitely do not mean to do this and don't want to do outside NAT either. Sorry for wasting your time.

What's with the second issue?:

a(config)# sh xlate

0 in use, 0 most used

Global 140.34.231.3 Local 0.0.0.0

a(config)# sh run | in 140.34.231.3

a(config)#

Thanks in idvance.

P.S. It is possible to delete (or take off) my previous .txt attachment BTW?

New Member

Re: Binding inside nat statement to outermost interface

Hello again,

I've already figured out what it is triggered with. It's dhcp relay enablin on interface.

Thanks for help.

New Member

Re: Binding inside nat statement to outermost interface

Your usage of the nat statement may be wrong. nat (wifiguest) should be nat (inside) or (the name of your inside interface) The error message is telling you that the usage of the NAT command is wrong and you are probebly using a name that doesnt match your interface name. Sh xlate will show any translations being used, if you have it mis configured then there will be no translations.

735
Views
7
Helpful
4
Replies
CreatePlease to create content