Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 9.4: Configuring NAT

Status
Not open for further replies.
darktriad

darktriad

IS-IT--Management
Apr 26, 2016
1
US
I am upgrading from a Cisco ASA using IOS 8.4 to a new ASA using IOS 9.4, and while I was able to copy 99% of the configuration over to the new 9.4, I cannot get NAT to work for static NATs. Traffic is not going through the outside interface from these inside systems. The NAT (dynamic) for all inside hosts works fine, but the static NATs do not.

Specifically, the hosts 192.168.112.3, .4, and .5 cannot reach the gateway (PING or other). However, inside hosts on 192.168.91.xxx have no program reaching the gateway.

Could someone please look at this configuration (see below) and see if you can spot why static-NAT hosts on 192.168.112.0/24 could not reach the gateway or get 'outside' at all?

Code: 
: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)6 
!
ip local pool ANYCONNECT-POOL 192.168.71.49-192.168.71.59 mask 255.255.255.0
!
interface GigabitEthernet0/0
 description inside-facing systems
 nameif inside_sys
 security-level 2
 ip address 192.168.111.1 255.255.255.0 
!
interface GigabitEthernet0/1
 description inside hosts
 nameif inside
 security-level 100
 ip address 192.168.91.1 255.255.255.0 
!             
interface GigabitEthernet0/2
 description Gateway
 nameif outside
 security-level 0
 ip address 151.126.96.74 255.255.255.248 
!
interface GigabitEthernet0/3
 description outside-facing systems
 nameif outside_sys
 security-level 1
 ip address 192.168.112.1 255.255.255.0 

object network obj-192.168.111.0
 subnet 192.168.111.0 255.255.255.0
object network obj-192.168.81.0
 subnet 192.168.81.0 255.255.255.240
object network obj-192.168.91.0
 subnet 192.168.91.0 255.255.255.0
object network obj-192.168.91.100
 host 192.168.91.100
object network obj-192.168.111.25
 host 192.168.111.25
object network obj-192.168.112.0
 subnet 192.168.112.0 255.255.255.0
object network obj-192.168.111.35
 host 192.168.111.35
object network obj-192.168.112.2
 host 192.168.112.2
object network obj-192.168.112.3
 host 192.168.112.3
object network obj-192.168.112.4
 host 192.168.112.4
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.71.0 255.255.255.0
access-list vpntunnel_splitTunnelAcl standard permit 192.168.112.0 255.255.255.0 
access-list vpntunnel_splitTunnelAcl standard permit 192.168.111.0 255.255.255.0 
access-list vpntunnel_splitTunnelAcl standard permit 192.168.91.0 255.255.255.0 
access-list ACL_IN extended permit udp any host 192.168.112.3 eq domain 
access-list ACL_IN extended permit udp any host 192.168.112.4 eq domain 
access-list ACL_IN extended permit tcp any host 192.168.112.3 eq domain 
access-list ACL_IN extended permit tcp any host 192.168.112.4 eq domain 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq https 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq www 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq smtp 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq 587 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq 993 
access-list ACL_IN remark TORRENT
access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 46969 
access-list ACL_IN extended permit udp any host 192.168.91.100 eq 46969 
access-list ACL_IN extended permit tcp any host 192.168.91.100 range 6881 6900 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.35 eq sunrpc 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.35 eq nfs 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.35 eq sunrpc 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.35 eq nfs 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.9 eq sunrpc 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.9 eq nfs 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.9 eq sunrpc 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.9 eq nfs 
access-list OUTSYS_IN extended deny ip 192.168.112.0 255.255.255.0 192.168.111.0 255.255.255.0 
access-list OUTSYS_IN extended deny ip 192.168.112.0 255.255.255.0 192.168.91.0 255.255.255.0 
access-list OUTSYS_IN extended permit ip any any 
access-list ANYC-SPLIT-TUNNEL standard permit 192.168.112.0 255.255.255.0 
access-list ANYC-SPLIT-TUNNEL standard permit 192.168.111.0 255.255.255.0 
access-list ANYC-SPLIT-TUNNEL standard permit 192.168.91.0 255.255.255.0 

arp timeout 600
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.111.0 obj-192.168.111.0 no-proxy-arp
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp
nat (inside_sys,outside) source static obj-192.168.111.0 obj-192.168.111.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp route-lookup
nat (outside_sys,outside) source static obj-192.168.112.0 obj-192.168.112.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp route-lookup
nat (inside_sys,outside) source static obj-192.168.111.0 obj-192.168.111.0 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (outside_sys,outside) source static obj-192.168.112.0 obj-192.168.112.0 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp
!
object network obj-192.168.91.0
 nat (inside,outside) dynamic interface
object network obj-192.168.91.100
 nat (inside,outside) static 151.126.96.78
object network obj-192.168.111.25
 nat (inside_sys,outside) dynamic interface
object network obj-192.168.111.35
 nat (inside_sys,outside) dynamic interface
object network obj-192.168.112.2
 nat (outside_sys,outside) static 151.126.96.77
object network obj-192.168.112.3
 nat (outside_sys,outside) static 151.126.96.75
object network obj-192.168.112.4
 nat (outside_sys,outside) static 151.126.96.76
access-group ACL_IN in interface outside
access-group OUTSYS_IN in interface outside_sys
 
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
246
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
236
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
224
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
236
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
293
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top