06-07-2008 03:53 AM - edited 03-11-2019 05:56 AM
In attached configuration on asa5510 traffic will not pass through firewall from computers assigned to static nat. tested from ip 192.168.100.99 with dns,www and cannot ping hosts on dmz.
06-07-2008 03:58 AM
06-07-2008 05:40 AM
Hi Dennis,
Please add the following
access-list LAN_access_in line 2 permit ip 192.168.100.0 255.255.255.0 10.100.100.0 255.255.255.0
policy-map global_policy
class inspection_default
inspect icmp
I also strongly recommend to upgrade your IOS to at least 7.2(2)
Regards
06-10-2008 03:03 PM
This did not help
Have upgraded to 7.2 and can now ping to dmz but all access to wan is blocked on any host where a static nat rule applies ex. host 192.168.100.99 cannot access external webpages but host 192.168.100.33 can. Have also tested from WAN side all static rules seem to be working properly I can access https webserver from WAN address.
Have attached a new copy of running config please HELP!!!!
06-10-2008 06:33 PM
You static NAT rules contain 192.168.100.199 192.168.100.133 (One Hundreed and Thirty Three)
Yet, you are trying to test using 192.168.100.99 and 192.168.100.33, these will be subject to the PAT (global command) and not the NAT.
Even then that should work fine.
Regards
Farrukh
06-11-2008 02:44 AM
I checked the config I posted and you are correct seems that I must have deleted the static nat rule I was testing with I will have to verify the running config on the firewall then retest. Thank You for the response. I also have a question everything on this config works execpt traffic from hosts with a static route to the WAN interface. On the hosts the firewall is not configured as the primary gateway. The primary gateway is 192.168.100.1 which then routes all traffic not specified by a route statement to the firewall @ 192.168.100.232 could this be the problem If so can I fix this without changing the hosts gateway as they do not communicate well with our internal network that way.
06-11-2008 02:57 AM
You could enable proxy arp on the primary gateway's interface on which these hosts are connected. But proxy arp is not part of good network design.
Regards
Farrukh
06-11-2008 03:20 AM
I will keep that in mind but should this work setup the way it is now??
Should I maybe put all hosts that need static nat on the dmz interface where the firewall is the gateway?
06-11-2008 03:42 AM
As a general rule, hosts that required Outside >> Internal access are placed in DMZ, other hosts that just need Inside >> Internet access, need not be placed in the DMZ.
All other hosts not covered by NAT should go out fine using the dynamic NAT nat (inside) statement, as long as they can reach their default gateway properly (or the routing is OK).
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide