Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
4
Replies

Reverse Global and NAT statements...can this work??

Go to solution
opers13
Level 1
Level 1

‎06-06-2009 07:18 AM - edited ‎03-11-2019 08:40 AM

this is what I'm trying to do..on an ASA5510 can I config global and nat statements but in reverse... instead of:

global (outside) 98 10.153.98.1

nat (inside) 98 10.255.0.0 255.255.0.0

I'm trying to get this to work:

global (inside) 98 10.153.98.1

nat (outside) 98 10.255.0.0 255.255.0.0

as of right now it doesn't work...I can get this to work with a static NAT....any ideas..is this even possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-06-2009 10:11 AM

Alex

Should work. Try modifying nat line to

nat (outside) 98 10.255.0.0 255.255.0.0 outside

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-06-2009 10:11 AM

Alex

Should work. Try modifying nat line to

nat (outside) 98 10.255.0.0 255.255.0.0 outside

Jon

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎06-07-2009 12:08 PM

Alex,

What is the security level for these interfaces? Same security?

Pls. read here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042673

Logically what you are trying to do should work even if it is same security.

Now, you need to provide translation for the other way as well that is why your static works (static is bi-directional) and nat/global is not.

global (inside) 98 10.153.98.1

nat (outside) 98 10.255.0.0 255.255.0.0

you also need

nat (inside) 1 10.153.98.0 255.255.255.0

global (outside) 1 interface

#######################################

If outside security is lower than the inside the, you need the "outside" keyword to translate from low to high.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

-KS

0 Helpful

Go to solution
opers13
Level 1
Level 1
In response to Kureli Sankar

‎06-08-2009 01:24 AM

KS,

thank you as well..

0 Helpful

Go to solution
opers13
Level 1
Level 1
In response to Jon Marshall

‎06-08-2009 01:22 AM

Jon, this is working now..Thanks!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card