static nat access issues

Unanswered Question
Jun 7th, 2008

In attached configuration on asa5510 traffic will not pass through firewall from computers assigned to static nat. tested from ip with dns,www and cannot ping hosts on dmz.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Sat, 06/07/2008 - 05:40

Hi Dennis,

Please add the following

access-list LAN_access_in line 2 permit ip

policy-map global_policy

class inspection_default

inspect icmp

I also strongly recommend to upgrade your IOS to at least 7.2(2)


dcholl1 Tue, 06/10/2008 - 15:03

This did not help

Have upgraded to 7.2 and can now ping to dmz but all access to wan is blocked on any host where a static nat rule applies ex. host cannot access external webpages but host can. Have also tested from WAN side all static rules seem to be working properly I can access https webserver from WAN address.

Have attached a new copy of running config please HELP!!!!

Farrukh Haroon Tue, 06/10/2008 - 18:33

You static NAT rules contain (One Hundreed and Thirty Three)

Yet, you are trying to test using and, these will be subject to the PAT (global command) and not the NAT.

Even then that should work fine.



dcholl1 Wed, 06/11/2008 - 02:44

I checked the config I posted and you are correct seems that I must have deleted the static nat rule I was testing with I will have to verify the running config on the firewall then retest. Thank You for the response. I also have a question everything on this config works execpt traffic from hosts with a static route to the WAN interface. On the hosts the firewall is not configured as the primary gateway. The primary gateway is which then routes all traffic not specified by a route statement to the firewall @ could this be the problem If so can I fix this without changing the hosts gateway as they do not communicate well with our internal network that way.

Farrukh Haroon Wed, 06/11/2008 - 02:57

You could enable proxy arp on the primary gateway's interface on which these hosts are connected. But proxy arp is not part of good network design.



dcholl1 Wed, 06/11/2008 - 03:20

I will keep that in mind but should this work setup the way it is now??

Should I maybe put all hosts that need static nat on the dmz interface where the firewall is the gateway?

Farrukh Haroon Wed, 06/11/2008 - 03:42

As a general rule, hosts that required Outside >> Internal access are placed in DMZ, other hosts that just need Inside >> Internet access, need not be placed in the DMZ.

All other hosts not covered by NAT should go out fine using the dynamic NAT nat (inside) statement, as long as they can reach their default gateway properly (or the routing is OK).




This Discussion