• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 943
  • Last Modified:

What am i doing wrong in this ASA config? Static NAT not working?

Got a new firewall and trying to configure it, but running into some issues since i'm not too familiar with the changes in syntax with the release of 8.3...

The IPs are as follows (some have been changed) : - DVR public IP - PBX public IP - Cisco ASA public IP (both the DVR and PBX are behind the ASA) - Cisco ASA public gateway

The DVR internal IP is
The PBX internal IP is

There are three internal subnets:, 16.0, and 17.0.  
15 is for clients and computers.  16 for phones, and 17 for VPN users (VPN pool on ASA)

The router is a layer 3 switch with IP address on the .15 network of
The ASA is  It has a route in it for the switch to get to the .16 network, and the ASA can ping any device on any subnet.

The problem we're having, is when we put in the NAT rule for the PBX (mapping it to we experience one-way audio on the phones.  When we remove the rule (so the PBX is just using the IP of the ASA's NAT pool), then everything works fine, BUT we need it to have a static 1 to 1 NAT so we can configure phones outside the company to connect too.  Right now, if we remove that NAT rule for the PBX, the phones inside the company work fine - they're establishing the connection to the SIP provider, and everything works.

What am I doing wrong?

ASA Version 8.4(2)
hostname DCC-ASA
enable password asdfasdf encrypted
passwd asdfasdf encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object network obj_any
object network obj-
object network obj-
object network EntireInternal
object network NETWORK_OBJ_192.168.17.0_28
object-group service DVRGROUP tcp
 port-object eq 9000
 port-object eq www
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service PBXGROUP tcp
 port-object eq sip
 port-object eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip host (an outsidehost) host
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any object obj- object-group DVRGROUP
access-list outside_access_in extended permit tcp any object obj- object-group PBXGROUP
access-list inside_access_in extended permit ip any any
access-list DCCVPN_SplitTunnel standard permit
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL2 mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static EntireInternal EntireInternal destination static NETWORK_OBJ_192.168.17.0_28 NETWORK_OBJ_192.168.17.0_28 no-proxy-arp route-lookup
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-
 nat (inside,outside) static
object network obj-
 nat (inside,outside) static
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
router rip
 passive-interface inside
 version 2
 no auto-summary
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
management-access inside

dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DCCVPN internal
group-policy DCCVPN attributes
 dns-server value
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DCCVPN_SplitTunnel
 default-domain value doorcc.com
tunnel-group DCCVPN type remote-access
tunnel-group DCCVPN general-attributes
 address-pool VPNPOOL2
 default-group-policy DCCVPN
tunnel-group DCCVPN ipsec-attributes
 ikev1 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns preqwqer
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
  • 2
1 Solution
Henk van AchterbergCommented:
Try this statement instead:

nat (inside,outside) source static
Mystical_IceAuthor Commented:
No go.  Didn't work - gave an error about the object group existing.

Question - how do i test if traffic is even making it to the ASA on that IP?  I've gone through the 'packet tracer' utility on the ASA to make sure the packets are going THROUGH it right, but is there a log i can turn on to see when I try to connect if it's even seeing the traffic?
Ernie BeekCommented:
The easiest would be the ASDM logging:
Monitoring->logging->real time log viewer

And see what it's telling.
Henk van AchterbergCommented:
You should remove this first:

object network obj-
 nat (inside,outside) static


no object network obj-

and then try to add the NAT statement I gave you earlier.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now