06-06-2009 07:18 AM - edited 03-11-2019 08:40 AM
this is what I'm trying to do..on an ASA5510 can I config global and nat statements but in reverse... instead of:
global (outside) 98 10.153.98.1
nat (inside) 98 10.255.0.0 255.255.0.0
I'm trying to get this to work:
global (inside) 98 10.153.98.1
nat (outside) 98 10.255.0.0 255.255.0.0
as of right now it doesn't work...I can get this to work with a static NAT....any ideas..is this even possible?
Solved! Go to Solution.
06-06-2009 10:11 AM
Alex
Should work. Try modifying nat line to
nat (outside) 98 10.255.0.0 255.255.0.0 outside
Jon
06-06-2009 10:11 AM
Alex
Should work. Try modifying nat line to
nat (outside) 98 10.255.0.0 255.255.0.0 outside
Jon
06-07-2009 12:08 PM
Alex,
What is the security level for these interfaces? Same security?
Pls. read here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042673
Logically what you are trying to do should work even if it is same security.
Now, you need to provide translation for the other way as well that is why your static works (static is bi-directional) and nat/global is not.
global (inside) 98 10.153.98.1
nat (outside) 98 10.255.0.0 255.255.0.0
you also need
nat (inside) 1 10.153.98.0 255.255.255.0
global (outside) 1 interface
#######################################
If outside security is lower than the inside the, you need the "outside" keyword to translate from low to high.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858
outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.
-KS
06-08-2009 01:24 AM
KS,
thank you as well..
06-08-2009 01:22 AM
Jon, this is working now..Thanks!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: