Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
8
Replies

static nat access issues

dcholl1
Level 1
Level 1

‎06-07-2008 03:53 AM - edited ‎03-11-2019 05:56 AM

In attached configuration on asa5510 traffic will not pass through firewall from computers assigned to static nat. tested from ip 192.168.100.99 with dns,www and cannot ping hosts on dmz.

Labels:
0 Helpful
8 Replies 8

dcholl1
Level 1
Level 1

‎06-07-2008 03:58 AM

Sorry config attached

Preview file
9 KB
0 Helpful

husycisco
Level 7
Level 7
In response to dcholl1

‎06-07-2008 05:40 AM

Hi Dennis,

Please add the following

access-list LAN_access_in line 2 permit ip 192.168.100.0 255.255.255.0 10.100.100.0 255.255.255.0

policy-map global_policy

class inspection_default

inspect icmp

I also strongly recommend to upgrade your IOS to at least 7.2(2)

Regards

0 Helpful

dcholl1
Level 1
Level 1
In response to husycisco

‎06-10-2008 03:03 PM

This did not help

Have upgraded to 7.2 and can now ping to dmz but all access to wan is blocked on any host where a static nat rule applies ex. host 192.168.100.99 cannot access external webpages but host 192.168.100.33 can. Have also tested from WAN side all static rules seem to be working properly I can access https webserver from WAN address.

Have attached a new copy of running config please HELP!!!!

Preview file
11 KB
0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dcholl1

‎06-10-2008 06:33 PM

You static NAT rules contain 192.168.100.199 192.168.100.133 (One Hundreed and Thirty Three)

Yet, you are trying to test using 192.168.100.99 and 192.168.100.33, these will be subject to the PAT (global command) and not the NAT.

Even then that should work fine.

Regards

Farrukh

0 Helpful

dcholl1
Level 1
Level 1
In response to Farrukh Haroon

‎06-11-2008 02:44 AM

I checked the config I posted and you are correct seems that I must have deleted the static nat rule I was testing with I will have to verify the running config on the firewall then retest. Thank You for the response. I also have a question everything on this config works execpt traffic from hosts with a static route to the WAN interface. On the hosts the firewall is not configured as the primary gateway. The primary gateway is 192.168.100.1 which then routes all traffic not specified by a route statement to the firewall @ 192.168.100.232 could this be the problem If so can I fix this without changing the hosts gateway as they do not communicate well with our internal network that way.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dcholl1

‎06-11-2008 02:57 AM

You could enable proxy arp on the primary gateway's interface on which these hosts are connected. But proxy arp is not part of good network design.

Regards

Farrukh

0 Helpful

dcholl1
Level 1
Level 1
In response to Farrukh Haroon

‎06-11-2008 03:20 AM

I will keep that in mind but should this work setup the way it is now??

Should I maybe put all hosts that need static nat on the dmz interface where the firewall is the gateway?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dcholl1

‎06-11-2008 03:42 AM

As a general rule, hosts that required Outside >> Internal access are placed in DMZ, other hosts that just need Inside >> Internet access, need not be placed in the DMZ.

All other hosts not covered by NAT should go out fine using the dynamic NAT nat (inside) statement, as long as they can reach their default gateway properly (or the routing is OK).

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card