ASA NAT Exempt Rule

Unanswered Question
Jul 20th, 2007
User Badges:

Hi,


Based on the attached diagram, i want to allow network monitoring server to monitor the remote branches routers, can i configure the ASA to allow traffic from monitoring server to branches routers without perform NAT ? if not, are there any way for us to achieve the objective ?


Thanks in advance.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Jon Marshall Fri, 07/20/2007 - 09:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes as long as the server IP address 2.2.2.2 is routable across your wan and is not used anywhere else this should be no problem at all.


It's not clear from your diagram what the addressing scheme is but as long as the remote sites route 2.2.2.2 back to HQ you should be fine.


HTH


Jon

benghock Fri, 07/20/2007 - 17:36
User Badges:

I've tested the configuration with the below command, but it still not working.


nat (outside) 0 access-list outside_nat0_inbound

access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1

access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1


I've check the firewall log and below is the error log,


No translation group found for icmp src outside: 2.2.2.2 dst inside:1.1.1.1 (type 8, code 0)


Any ideas ?

Jon Marshall Fri, 07/20/2007 - 20:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I actually misread your diagram at first. The monitoring server is on the outside. You should not have to worry about a translation for 2.2.2.2.

If you did have to use a nat statement for every host on the outside of an ASA it woudl be very difficult to use it as an internet firewall :)


Do you have translations set up for the inside servers eg.


static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255


Jon

benghock Fri, 07/20/2007 - 21:03
User Badges:

Hi Jon,


All for the remote routers are located within "inside" network, the monitoring server is located at "outside" network. I'll test the suggested command, but the command only applicable to one single host/router, how about the rest of the remote routers ?


Thanks.

Beng Hock



Actions

This Discussion