Reverse Global and NAT statements...can this work??

Answered Question
Jun 6th, 2009

this is what I'm trying to do..on an ASA5510 can I config global and nat statements but in reverse... instead of:

global (outside) 98 10.153.98.1

nat (inside) 98 10.255.0.0 255.255.0.0

I'm trying to get this to work:

global (inside) 98 10.153.98.1

nat (outside) 98 10.255.0.0 255.255.0.0

as of right now it doesn't work...I can get this to work with a static NAT....any ideas..is this even possible?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 6 months ago

Alex

Should work. Try modifying nat line to

nat (outside) 98 10.255.0.0 255.255.0.0 outside

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 06/06/2009 - 10:11

Alex

Should work. Try modifying nat line to

nat (outside) 98 10.255.0.0 255.255.0.0 outside

Jon

Kureli Sankar Sun, 06/07/2009 - 12:08

Alex,

What is the security level for these interfaces? Same security?

Pls. read here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042673

Logically what you are trying to do should work even if it is same security.

Now, you need to provide translation for the other way as well that is why your static works (static is bi-directional) and nat/global is not.

global (inside) 98 10.153.98.1

nat (outside) 98 10.255.0.0 255.255.0.0

you also need

nat (inside) 1 10.153.98.0 255.255.255.0

global (outside) 1 interface

#######################################

If outside security is lower than the inside the, you need the "outside" keyword to translate from low to high.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

-KS

Actions

This Discussion