INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Cisco ASA 9.4: Configuring NAT

Cisco ASA 9.4: Configuring NAT

(OP)
I am upgrading from a Cisco ASA using IOS 8.4 to a new ASA using IOS 9.4, and while I was able to copy 99% of the configuration over to the new 9.4, I cannot get NAT to work for static NATs. Traffic is not going through the outside interface from these inside systems. The NAT (dynamic) for all inside hosts works fine, but the static NATs do not.

Specifically, the hosts 192.168.112.3, .4, and .5 cannot reach the gateway (PING or other). However, inside hosts on 192.168.91.xxx have no program reaching the gateway.

Could someone please look at this configuration (see below) and see if you can spot why static-NAT hosts on 192.168.112.0/24 could not reach the gateway or get 'outside' at all?

CODE -->

: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)6 
!
ip local pool ANYCONNECT-POOL 192.168.71.49-192.168.71.59 mask 255.255.255.0
!
interface GigabitEthernet0/0
 description inside-facing systems
 nameif inside_sys
 security-level 2
 ip address 192.168.111.1 255.255.255.0 
!
interface GigabitEthernet0/1
 description inside hosts
 nameif inside
 security-level 100
 ip address 192.168.91.1 255.255.255.0 
!             
interface GigabitEthernet0/2
 description Gateway
 nameif outside
 security-level 0
 ip address 151.126.96.74 255.255.255.248 
!
interface GigabitEthernet0/3
 description outside-facing systems
 nameif outside_sys
 security-level 1
 ip address 192.168.112.1 255.255.255.0 

object network obj-192.168.111.0
 subnet 192.168.111.0 255.255.255.0
object network obj-192.168.81.0
 subnet 192.168.81.0 255.255.255.240
object network obj-192.168.91.0
 subnet 192.168.91.0 255.255.255.0
object network obj-192.168.91.100
 host 192.168.91.100
object network obj-192.168.111.25
 host 192.168.111.25
object network obj-192.168.112.0
 subnet 192.168.112.0 255.255.255.0
object network obj-192.168.111.35
 host 192.168.111.35
object network obj-192.168.112.2
 host 192.168.112.2
object network obj-192.168.112.3
 host 192.168.112.3
object network obj-192.168.112.4
 host 192.168.112.4
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.71.0 255.255.255.0
access-list vpntunnel_splitTunnelAcl standard permit 192.168.112.0 255.255.255.0 
access-list vpntunnel_splitTunnelAcl standard permit 192.168.111.0 255.255.255.0 
access-list vpntunnel_splitTunnelAcl standard permit 192.168.91.0 255.255.255.0 
access-list ACL_IN extended permit udp any host 192.168.112.3 eq domain 
access-list ACL_IN extended permit udp any host 192.168.112.4 eq domain 
access-list ACL_IN extended permit tcp any host 192.168.112.3 eq domain 
access-list ACL_IN extended permit tcp any host 192.168.112.4 eq domain 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq https 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq www 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq smtp 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq 587 
access-list ACL_IN extended permit tcp any host 192.168.112.2 eq 993 
access-list ACL_IN remark TORRENT
access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 46969 
access-list ACL_IN extended permit udp any host 192.168.91.100 eq 46969 
access-list ACL_IN extended permit tcp any host 192.168.91.100 range 6881 6900 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.35 eq sunrpc 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.35 eq nfs 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.35 eq sunrpc 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.35 eq nfs 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.9 eq sunrpc 
access-list OUTSYS_IN extended permit tcp host 192.168.112.2 host 192.168.111.9 eq nfs 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.9 eq sunrpc 
access-list OUTSYS_IN extended permit udp host 192.168.112.2 host 192.168.111.9 eq nfs 
access-list OUTSYS_IN extended deny ip 192.168.112.0 255.255.255.0 192.168.111.0 255.255.255.0 
access-list OUTSYS_IN extended deny ip 192.168.112.0 255.255.255.0 192.168.91.0 255.255.255.0 
access-list OUTSYS_IN extended permit ip any any 
access-list ANYC-SPLIT-TUNNEL standard permit 192.168.112.0 255.255.255.0 
access-list ANYC-SPLIT-TUNNEL standard permit 192.168.111.0 255.255.255.0 
access-list ANYC-SPLIT-TUNNEL standard permit 192.168.91.0 255.255.255.0 

arp timeout 600
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.111.0 obj-192.168.111.0 no-proxy-arp
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp
nat (inside_sys,outside) source static obj-192.168.111.0 obj-192.168.111.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp route-lookup
nat (outside_sys,outside) source static obj-192.168.112.0 obj-192.168.112.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp route-lookup
nat (inside_sys,outside) source static obj-192.168.111.0 obj-192.168.111.0 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (outside_sys,outside) source static obj-192.168.112.0 obj-192.168.112.0 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp
!
object network obj-192.168.91.0
 nat (inside,outside) dynamic interface
object network obj-192.168.91.100
 nat (inside,outside) static 151.126.96.78
object network obj-192.168.111.25
 nat (inside_sys,outside) dynamic interface
object network obj-192.168.111.35
 nat (inside_sys,outside) dynamic interface
object network obj-192.168.112.2
 nat (outside_sys,outside) static 151.126.96.77
object network obj-192.168.112.3
 nat (outside_sys,outside) static 151.126.96.75
object network obj-192.168.112.4
 nat (outside_sys,outside) static 151.126.96.76
access-group ACL_IN in interface outside
access-group OUTSYS_IN in interface outside_sys 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close