How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask Claws224 Your Own Question

Claws224
Claws224, IEEE Network Engineer
Category: Networking
Satisfied Customers: 1256
Experience:  IEEE, Microsoft
5195814
Type Your Networking Question Here...
Claws224 is online now
A new question is answered every 9 seconds

Having a LOT of trouble with getting NAT through. This is

Customer Question

Having a LOT of trouble with getting NAT through. This is with a Cisco ASA 5510 on 8.2(5) - don't ask - can't upgrade firmware.
Example: Interface E0/0 has 1.1.1.1 IP address, Public. LAN 192.168.80.1/24 on E0/2. VPN device (for different tunneling application) on E0/3 with a GW address of 192.0.2.11 - the device is on 192.0.2.9.
I can ping 192.0.2.9 from the ASA. 192.0.2.9 cannot get out to the internet. I cannot seem to create a static nat rule that will pass port 4000 on 1.1.1.1 to port 22 on 192.0.2.9.
Any ideas ?
Submitted: 7 months ago.
Category: Networking
Expert:  Brent Woolverton replied 7 months ago.
Hello, Can you please paste the running-config so I can see what your settings are exactly. Please make sure to star out any passwords or encrypted passwords in the running-config.
Customer: replied 7 months ago.
Config file attached. Thanks...
Customer: replied 7 months ago.
btw... having TWO problems here.... 192.0.2.9 (host inside e0/3) needs to get out to the internet. and, the manager of that host needs to ssh to port 4000 on 101.231.102.14 and get to 192.0.2.9 port 22....Sorry for not making that clear.
Expert:  Brent Woolverton replied 7 months ago.
Hello, Sorry about the delay. We will take your issue one step at a time. The most important is providing your network on the aryaka interface accessing the internet. From the looks of it, your ACLs are giving you the issue. Let us just take one precationary test prior to changing any configuration to your access control lists though. Go into your config and enter the policy-map global_policy, then class inspection_default. Add an 'inspect icmp' to the list, write mem then try to ping from your 192.0.2.9 device. If that fails, my suspicions are most likely correct. As a personal bit of advise, it is not good practice to name your ACLs the same as your interface. I have noticed issues with using the same namespace. Try the following access control to see if we can get your aryaka interface some internet life. This ACL will allow your users on the 192.0.2.8 network to use any protocol heading outwards.access-list inet permit ip 192.0.2.8 255.255.255.248 anyaccess-group inet in interface aryakanat (aryaka) 1 192.0.2.8 255.255.255.248Please let me know if this resolves the issues. Do not forget, the logging command is your best friend. Set the following in config modelogging enablelogging buffered informationalUse the 'show logging' command in the cli to see what occurs at the time when you attempt to reach the internet. If the issue still continues, please submit the syslog here so I can attempt to debug it. Once we have this fixed, we will work on your PAT issue.
Expert:  Brent Woolverton replied 7 months ago.
Hello, Do you still need assistance with this issue?ThanksBrent