PAT issue on ASA5510, where a static NAT works

KARL WHITSON · ‎01-04-2009

I have a strange PAT issue. I have a 5510 firewall with some webservers, a switch and an internet router attached to the outside interface. If I use an internal machine with a static NAT I can ping and telnet to the router and switch and browse a webmail account on a webserver. Although, if I try to do that same thing from an internal machine using PAT (overload on the outside interface) it fails. Ping will reply one time and then time out the remaining three. Telnet and browsing to the webmail account both fail. Any suggestions would be appreciated.

JORGE RODRIGUEZ · ‎01-04-2009

Hi,

I think I understand your post but not quite 100% sure of your topology , pls correct if my understanding is wrong, also look at asdm real time log to give more clues what the problem could be.

Where is your webmail server, on the outside or inside ? could u provide more info on where wemail server is located.

LAN-ASA5510Outside-SW-InternetRT, is this your topology ?

if so assume example:

ASA-Outside IP = 99.99.99.99

Outside router Ethernet interface 99.99.99.100

Outside switch IP = 99.99.99.101 its DG 100

LAN Network 192.168.1.0/24

LAN segment needs to be PATed to reach oustide router and outside switch external IP addresses.

This is all you need in ASA-5510 to reach external switch and/or router from any 192.168.1.0/24 host.

global (outside ) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

or

global (outside ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Regards

Jorge Rodriguez