cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
0
Helpful
10
Replies

outside nat in asa

diptanshusingh
Level 1
Level 1

Hi guys i am a bit confused, please help me ..

RTR2----(Outside)ASA(Inside)----Rtr1

the outside n/w range is 192.168.1.0/24 with Rtr2 having .2 and ASA having .1

the inside n/w range is 192.168.2.0 with asa having .1 and Rtr1 hving .2

now i want to perform dynamic outside nat for Rtr2.

nat (outside) 1 192.168.1.0 255.255.255.0

global (inside) 1 interface

or

nat (outside) 1 192.168.1.0 255.255.255.0 outside

global (inside) 1 interface

-------

i knw that outside keyword is used for outside nat , and when i try to configure

nat command on outside intf, it gives me a warning also..but it takes the command.

my doubt is why outside nat doesnt works with outside keyword.I hope you guys got my doubt..

10 Replies 10

mattiaseriksson
Level 3
Level 3

You are correct, this is the correct way to do it.

nat (outside) 1 192.168.1.0 255.255.255.0 outside

global (inside) 1 interface

If it is not working, check the access-list applied to the outside interface, and show xlate to confirm if you have any other existing xlates.

Pleas post the complete sanitized config if this does not help.

Hi thanks for you reply matti..actually what i wanted to know is that why is it so that why only when we apply "outside " keyword then only it works.. bcz with out that also when say

nat (outside) 1 192.168.1.0 255.255.255.0

it means nat for the source ip address 192.168.1.0/24 to a different ip address.

The outside keyword will allow the connections to initiate from an interface with a lower security level.

ohh ..thanks...i got it...this means when i want to configure the same thing from my DMZ--to--inside.

then i have to apply

nat (dmz) 1 0 0 outside..

Correct.

The outside keyword represent any outer (less secure) interface, not the actual outside.

thanks for clearing my concept...

Hi matti . i have the following setup

host---(inside)Pix(Outside)---Rtr

host ip address 10.0.0.10

Pix Inside 10.0.0.1

Pix Outside 172.31.0.1

Rtr IP add:172.31.0.2(Rtr having a deault route to pix)

i tried to configure outside nat, but its not working.

hostname Firewall

enable password xxx encrypted

names

interface Ethernet0

speed 100

nameif outside

security-level 0

ip address 172.31.0.1 255.255.255.0

!

interface Ethernet1

speed 100

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

passwd xxx

ftp mode passive

access-list outside extended permit ip any any

pager lines 24

logging enable

icmp unreachable rate-limit 1 burst-size 1

nat-control

global (inside) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0 outside

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside in interface outside

telnet timeout 5

ssh timeout 5

console timeout 0

----

i see the following messages

%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2253 to in

side:10.0.0.1/30

%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in

side:Insrv (type 8, code 0)

%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2254 to in

side:10.0.0.1/31

%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in

side:Insrv (type 8, code 0)

%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2255 to in

side:10.0.0.1/32

%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in

side:Insrv (type 8, code 0)

%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2256 to in

side:10.0.0.1/33

%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in

side:Insrv (type 8, code 0)

%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2257 to in

side:10.0.0.1/34

%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in

side:Insrv (type 8, code 0)

--------------

show xlate output

PAT Global 10.0.0.1(36) Local 172.31.0.2 ICMP id 5850

PAT Global 10.0.0.1(35) Local 172.31.0.2 ICMP id 5849

Now you are only translating the source address of the outside host, NAT for the destination address also has to be configured. You want to reach the inside host by its real address? Then you need to do this:

static (inside,outside) 10.0.0.10 10.0.0.10 netmask 255.255.255.255

yeah got it.. but can i use dynamic nat .. in these cases instead of using static nat.

You can use the nat(0) to disable nat:

access-list 103 permit ip 10.0.0.0 255.255.255.0 any

nat (inside) 0 access-list 103

You can tune that acl to only allow some traffic if you want to.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: