ASA 8.2 static NAT

Hi,

I’m trying to configure static nat on ASA 8.2

    ------------------------------->

                     Out               Ins
Ra---------------------ASA----------------Rb
7.7.7.1      7.7.7.11       8.8.8.11    8.8.8.1


I applied ACL on outside interface to accept telnet from Ra to Rb

static (outside,inside) 17.17.17.1 7.7.7.1

On ASA I see SYN packets incoming on outside interface:

1: 14:00:57.992502 7.7.7.1.56708 > 8.8.8.1.23: S 820018118:820018118(0) win 4128 <mss 536>
   2: 14:00:59.992090 7.7.7.1.56708 > 8.8.8.1.23: S 820018118:820018118(0) win 4128 <mss 536>
   3: 14:01:03.992746 7.7.7.1.56708 > 8.8.8.1.23: S 820018118:820018118(0) win 4128 <mss 536>
   4: 14:01:11.994028 7.7.7.1.56708 > 8.8.8.1.23: S 820018118:820018118(0) win 4128 <mss 536>

On ASA I see also xlate and one connection (not completed)

ASA-F# sh conn
1 in use, 3 most used
TCP outside 17.17.17.1(7.7.7.1):34692 inside 8.8.8.1:23, idle 0:00:03, bytes 0, flags SaAB

ASA-F# sh xlate
1 in use, 1 most used
Global 17.17.17.1 Local 7.7.7.1
ASA-F#

Both routers have the ASA as a default gateway.


I see also traffic after NAT exiting ASA from inside interface:

ASA-F# sh capture TEST1

4 packets captured

   1: 14:10:08.452842 17.17.17.1.44932 > 8.8.8.1.23: S 1180968845:1180968845(0) win 4128 <mss 536>
   2: 14:10:10.452231 17.17.17.1.44932 > 8.8.8.1.23: S 1180968845:1180968845(0) win 4128 <mss 536>
   3: 14:10:14.452918 17.17.17.1.44932 > 8.8.8.1.23: S 1180968845:1180968845(0) win 4128 <mss 536>
   4: 14:10:22.454169 17.17.17.1.44932 > 8.8.8.1.23: S 1180968845:1180968845(0) win 4128 <mss 536>
4 packets shown
ASA-F#

The problem I can’t see any respond from Rb. I checked routing there but it is simple configuration (which without NAT works fine).

Rb#sh run | i route
ip route 0.0.0.0 0.0.0.0 8.8.8.11
Rb#

One thing is strange, once I do a traceroute the next hop is the interface of Rb:

Rb#traceroute 17.17.17.1
Type escape sequence to abort.
Tracing the route to 17.17.17.1
VRF info: (vrf in name/id, vrf out name/id)
  1 8.8.8.1 0 msec 0 msec 0 msec
  2  *  *



Rb#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 8.8.8.11 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 8.8.8.11
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.0.0/24 is directly connected, GigabitEthernet0/2
L        1.1.0.8/32 is directly connected, GigabitEthernet0/2
      8.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        8.8.8.0/24 is directly connected, GigabitEthernet0/1
L        8.8.8.1/32 is directly connected, GigabitEthernet0/1
Rb#


Any suggestion what I do wrong?
Thanks

Hubert

Comments

  • Hi,

     

    once I have changed 17.17.17.1 to 77.77.77.1 it works, I'm not sure what was wrong with 17.17.17.1 but it looks like a routing issue

     

    regards

    Hubert

  • The probem is in the next output, it seems that Rb was routing for the NAT'ed address of 17.17.17.1 towards itself, instead of towards the ASA:

    Rb#traceroute 17.17.17.1
    Type escape sequence to abort.
    Tracing the route to 17.17.17.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 8.8.8.1 0 msec 0 msec 0 msec

Sign In or Register to comment.