Reverse Global and NAT statements...can this work??

Answered Question
Jun 6th, 2009
User Badges:

this is what I'm trying to do..on an ASA5510 can I config global and nat statements but in reverse... instead of:


global (outside) 98 10.153.98.1

nat (inside) 98 10.255.0.0 255.255.0.0


I'm trying to get this to work:


global (inside) 98 10.153.98.1

nat (outside) 98 10.255.0.0 255.255.0.0


as of right now it doesn't work...I can get this to work with a static NAT....any ideas..is this even possible?




Correct Answer by Jon Marshall about 7 years 11 months ago

Alex


Should work. Try modifying nat line to


nat (outside) 98 10.255.0.0 255.255.0.0 outside


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 06/06/2009 - 10:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Alex


Should work. Try modifying nat line to


nat (outside) 98 10.255.0.0 255.255.0.0 outside


Jon

Kureli Sankar Sun, 06/07/2009 - 12:08
User Badges:
  • Cisco Employee,

Alex,


What is the security level for these interfaces? Same security?


Pls. read here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042673


Logically what you are trying to do should work even if it is same security.


Now, you need to provide translation for the other way as well that is why your static works (static is bi-directional) and nat/global is not.


global (inside) 98 10.153.98.1

nat (outside) 98 10.255.0.0 255.255.0.0


you also need


nat (inside) 1 10.153.98.0 255.255.255.0

global (outside) 1 interface



#######################################


If outside security is lower than the inside the, you need the "outside" keyword to translate from low to high.


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858


outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.


-KS









Actions

This Discussion