I have a layered ASA approach in both UAT and PROD, so we run an external pair of ASA's which house our public IPs and nat them to the internal DMZ of Web and App servers, which are hidden behind a second pair of internal ASA's. These internal ASA's also connect to each other and the rest of the network.
I've been asked to take an internal network and NAT/PAT it before allowing it access to our APP DMZ.
I've attached a visio of the UAT layout...
www.durhammods.com/UAT.vsd
Note the right side... ASA-Con1. Traffic from our internal server subnet (vlan 160) coming over the Bridgenet interface needs to access the APP servers in vlan 153, but we'd like to have the source IPs hidden to either the IP of the interface, or an IP set aside for the purpose (10.22.153.250).
Here's a quick shot of the ASA's interfaces:
www.durhammods.com/ints.bmp
We're going from the Brdgnet int (level 25) to the UAT-APP int (level 50).
Because UAT-APP is the highest security level on the ASA, it has no rules applied to it outside of the implicit:
www.durhammods.com/appacls.bmp
Here's the ASDM setup of the PAT from Brdgnet for 160 traffic to the UAT-APP subnet:
www.durhammods.com/nat1.bmp
(the 160 subnet is known as InternalServers/23)
Just going with that one nat statement produces this error:
www.durhammods.com/error.bmp
Suggests to me that a nat statement is required in the opposite direction... and since I don't want one, I'll go with an exempt statement:
www.durhammods.com/nat2.bmp
So now I have two statements:
www.durhammods.com/nat3.bmp
No change... the "no translation" error persists.
According to cisco:
Cisco Security Appliance System Log Messages, Version 7.2 - System Log Messages [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
"Explanation: A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, this message may be generated frequently.
Recommended Action: This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL."
I tried to get more specific and remove the nat exemption in favour of a true dynamic nat rule with a one-to-one mapping:
www.durhammods.com/nat4.bmp
This resulted in a different error:
%ASA-3-305006: portmap translation creation failed for tcp src UAT-APP:10.22.153.22/7402 dst UAT-WEB:UATWEB1/7080
Of interest, the errors did not occur with a destination of the Brdgnet interface, but all others. Makes me think that I need to put NAT statements on every interface is I add even one. I read about Nat Control in my studies... am I right that this error suggests that Nat Control is ON? And that if I turn it OFF, then I don't need to add a NAT statement everywhere?
I appreciate any insights from you ASA techies.
Mike
EDIT: I just checked, and NO NAT-CONTROL is in the config... it was never changed from the default (which is off).
