03-02-2009 10:52 AM - edited 03-11-2019 07:59 AM
I have an ASA 5510. Its firmware version is 8.0(3). I have very simple setup on it but my laptop (on inside interface) can't ping outside devices...
Here are the commands I typed in. The rest in the show run are all default...
interface Ethernet0/0
nameif outside
security-level 100
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
!
access-list ACL-outside extended permit icmp any any
access-list ACL-inside extended permit icmp any any
access-list ACL-inside extended permit ip any any
!
global (outside) 1 interface
nat (inside) 1 10.2.1.0 255.255.255.0 outside
static (inside,outside) 2.2.2.2 10.2.1.2 netmask 255.255.255.255
access-group ACL-outside in interface outside
access-group ACL-inside in interface inside
route outside 0.0.0.0 0.0.0.0 2.2.2.254 1
!
I have an outside host 1.1.1.1. I can ping it from the ASA. However my inside laptop 10.2.1.2 can't ping it...
In the "show nat" output translate_hits = 0.
In the "show logging" I do see bunch of "%ASA-3-106014: Deny inbound icmp src inside:10.2.1.2 dst outside:1.1.1.1 (type 8, code 0)" errors.
That's why I made an access-list ACL-inside to permit anything but still no go. The hitcount of the ACL is 0...
I am very frustrated... Please help! Should be easy for you guys! Thanks a lot!
Difan
Solved! Go to Solution.
03-02-2009 11:38 AM
The security level on your outside interface should be 0, not 100.
HTH,
Paul
03-02-2009 11:45 AM
Hi,
The problem is with your security levels
By default ASA won't route traffic between two interfaces of the same security level.
Either change outside interface to be 0 (should be anyway) or enter following command
same-security-traffic permit inter-interface
Also not sure you need the "outside" parameter on your nat (inside) statement???
Regards
James
03-02-2009 11:38 AM
The security level on your outside interface should be 0, not 100.
HTH,
Paul
03-02-2009 11:45 AM
Hi,
The problem is with your security levels
By default ASA won't route traffic between two interfaces of the same security level.
Either change outside interface to be 0 (should be anyway) or enter following command
same-security-traffic permit inter-interface
Also not sure you need the "outside" parameter on your nat (inside) statement???
Regards
James
03-02-2009 01:06 PM
Hi James,
I have no idea. I was struggling to make it work so I tried different commands and parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement? Seems it didn't affect anything...
Thanks,
Difan
03-02-2009 03:45 PM
I have no idea... I was struggling to make it work so I tried different parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement?
Thanks!
Difan
03-02-2009 04:39 PM
Difan
The "outside" is used when you are using dynamic NAT on a lower to higher security interface eg.
nat (outside) 1 192.168.5.0 255.255.255.0 outside
global (inside) 1 interface
OR
nat (dmz) 1 192.168.5.0 255.255.255.0 outside
global (inside) 1 interface
In both the above examples the NAT is occuring from a lower security interface to a higher security interface.
The most common use of this sort of dynamic NAT is
nat (inside) 1 192.168.5.0 255.255.255.0
global (outside) 1 interface
Here the NAT is occuring from a higher to a lower security interface so you do not need the "outside" at the end of your NAT statement.
Jon
03-02-2009 01:02 PM
Thank you guys! It worked!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: