Solved: New to ASA. Can't make NAT/PAT to work..

Difan Zhao · ‎03-02-2009

I have an ASA 5510. Its firmware version is 8.0(3). I have very simple setup on it but my laptop (on inside interface) can't ping outside devices...

Here are the commands I typed in. The rest in the show run are all default...

interface Ethernet0/0

nameif outside

security-level 100

ip address 2.2.2.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.2.1.1 255.255.255.0

!

access-list ACL-outside extended permit icmp any any

access-list ACL-inside extended permit icmp any any

access-list ACL-inside extended permit ip any any

!

global (outside) 1 interface

nat (inside) 1 10.2.1.0 255.255.255.0 outside

static (inside,outside) 2.2.2.2 10.2.1.2 netmask 255.255.255.255

access-group ACL-outside in interface outside

access-group ACL-inside in interface inside

route outside 0.0.0.0 0.0.0.0 2.2.2.254 1

!

I have an outside host 1.1.1.1. I can ping it from the ASA. However my inside laptop 10.2.1.2 can't ping it...

In the "show nat" output translate_hits = 0.

In the "show logging" I do see bunch of "%ASA-3-106014: Deny inbound icmp src inside:10.2.1.2 dst outside:1.1.1.1 (type 8, code 0)" errors.

That's why I made an access-list ACL-inside to permit anything but still no go. The hitcount of the ACL is 0...

I am very frustrated... Please help! Should be easy for you guys! Thanks a lot!

Difan

pstebner10 · ‎03-02-2009

The security level on your outside interface should be 0, not 100.

HTH,

Paul

View solution in original post

JamesLuther · ‎03-02-2009

Hi,

The problem is with your security levels

By default ASA won't route traffic between two interfaces of the same security level.

Either change outside interface to be 0 (should be anyway) or enter following command

same-security-traffic permit inter-interface

Also not sure you need the "outside" parameter on your nat (inside) statement???

Regards

James

View solution in original post

pstebner10 · ‎03-02-2009

The security level on your outside interface should be 0, not 100.

HTH,

Paul

JamesLuther · ‎03-02-2009

Hi,

The problem is with your security levels

By default ASA won't route traffic between two interfaces of the same security level.

Either change outside interface to be 0 (should be anyway) or enter following command

same-security-traffic permit inter-interface

Also not sure you need the "outside" parameter on your nat (inside) statement???

Regards

James

Difan Zhao · ‎03-02-2009

Hi James,

I have no idea. I was struggling to make it work so I tried different commands and parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement? Seems it didn't affect anything...

Thanks,

Difan

Difan Zhao · ‎03-02-2009

I have no idea... I was struggling to make it work so I tried different parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement?

Thanks!

Difan

Jon Marshall · ‎03-02-2009

Difan

The "outside" is used when you are using dynamic NAT on a lower to higher security interface eg.

nat (outside) 1 192.168.5.0 255.255.255.0 outside

global (inside) 1 interface

OR

nat (dmz) 1 192.168.5.0 255.255.255.0 outside

global (inside) 1 interface

In both the above examples the NAT is occuring from a lower security interface to a higher security interface.

The most common use of this sort of dynamic NAT is

nat (inside) 1 192.168.5.0 255.255.255.0

global (outside) 1 interface

Here the NAT is occuring from a higher to a lower security interface so you do not need the "outside" at the end of your NAT statement.

Jon

Difan Zhao · ‎03-02-2009

Thank you guys! It worked!