What am i doing wrong in this ASA config? Static NAT not working?

Posted on 2012-09-19
Last Modified: 2012-10-11
Got a new firewall and trying to configure it, but running into some issues since i'm not too familiar with the changes in syntax with the release of 8.3...

The IPs are as follows (some have been changed) : - DVR public IP - PBX public IP - Cisco ASA public IP (both the DVR and PBX are behind the ASA) - Cisco ASA public gateway

The DVR internal IP is
The PBX internal IP is

There are three internal subnets:, 16.0, and 17.0.  
15 is for clients and computers.  16 for phones, and 17 for VPN users (VPN pool on ASA)

The router is a layer 3 switch with IP address on the .15 network of
The ASA is  It has a route in it for the switch to get to the .16 network, and the ASA can ping any device on any subnet.

The problem we're having, is when we put in the NAT rule for the PBX (mapping it to we experience one-way audio on the phones.  When we remove the rule (so the PBX is just using the IP of the ASA's NAT pool), then everything works fine, BUT we need it to have a static 1 to 1 NAT so we can configure phones outside the company to connect too.  Right now, if we remove that NAT rule for the PBX, the phones inside the company work fine - they're establishing the connection to the SIP provider, and everything works.

What am I doing wrong?

ASA Version 8.4(2)
hostname DCC-ASA
enable password asdfasdf encrypted
passwd asdfasdf encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object network obj_any
object network obj-
object network obj-
object network EntireInternal
object network NETWORK_OBJ_192.168.17.0_28
object-group service DVRGROUP tcp
 port-object eq 9000
 port-object eq www
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service PBXGROUP tcp
 port-object eq sip
 port-object eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip host (an outsidehost) host
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any object obj- object-group DVRGROUP
access-list outside_access_in extended permit tcp any object obj- object-group PBXGROUP
access-list inside_access_in extended permit ip any any
access-list DCCVPN_SplitTunnel standard permit
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL2 mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static EntireInternal EntireInternal destination static NETWORK_OBJ_192.168.17.0_28 NETWORK_OBJ_192.168.17.0_28 no-proxy-arp route-lookup
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-
 nat (inside,outside) static
object network obj-
 nat (inside,outside) static
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
router rip
 passive-interface inside
 version 2
 no auto-summary
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
management-access inside

dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DCCVPN internal
group-policy DCCVPN attributes
 dns-server value
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DCCVPN_SplitTunnel
 default-domain value
tunnel-group DCCVPN type remote-access
tunnel-group DCCVPN general-attributes
 address-pool VPNPOOL2
 default-group-policy DCCVPN
tunnel-group DCCVPN ipsec-attributes
 ikev1 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns preqwqer
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
Question by:Mystical_Ice
    LVL 12

    Expert Comment

    by:Henk van Achterberg
    Try this statement instead:

    nat (inside,outside) source static

    Author Comment

    No go.  Didn't work - gave an error about the object group existing.

    Question - how do i test if traffic is even making it to the ASA on that IP?  I've gone through the 'packet tracer' utility on the ASA to make sure the packets are going THROUGH it right, but is there a log i can turn on to see when I try to connect if it's even seeing the traffic?
    LVL 35

    Expert Comment

    by:Ernie Beek
    The easiest would be the ASDM logging:
    Monitoring->logging->real time log viewer

    And see what it's telling.
    LVL 12

    Accepted Solution

    You should remove this first:

    object network obj-
     nat (inside,outside) static


    no object network obj-

    and then try to add the NAT statement I gave you earlier.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Suggested Solutions

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now