ASA 5505 Identity NAT

Unanswered Question
Jun 16th, 2009

Hi,

I'm having issues with static identity NAT on an ASA 5505.

We use VLAN 2 for the outside interface and VLAN1 for the inside. The outside WAN is connected to Eth 0/0 and the inside to Eth 0/1. Then we have created 1 to 1 static identity NAT statements for each of the two servers. However I'm now unsure how this will work

in terms of the VLAN configuration on the ASA. If we put the inside interface into VLAN2 we can ping the IPs of the servers however as they are in the same security level as the outside interface no filtering takes place, even when we remove "same-security-traffic inter-interface"

Then if we add the inside interface to VLAN 1 the connection breaks as traffic is not being routed between the VLANs

e.g.

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface Vlan1

nameif inside

security-level 100

no ip address

!

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

static (inside,outside) 1.1.1.3 1.1.1.3 netmask 255.255.255.255

!

!

interface Ethernet0/0

description Outside Interface

switchport access vlan 2

speed 10

duplex full

!

!

interface Ethernet0/1

description Servers

switchport access vlan 2

!

access-list ouside blah......

Any ideas would help, thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 06/16/2009 - 01:07

Patrick

If 1.1.1.0/24 is the outside interface address then what is the IP subnet for vlan 1. You don't have an IP address assigned to vlan 1 ie. -

nterface Vlan1

nameif inside

security-level 100

no ip address

Also you static statements -

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

but 1.1.1.2 is on the outside not the inside. What i would expect to see is eg.

vlan 1 subnet = 2.2.2.0/24

static (inside,outside) 2.2.2.2 2.2.2.2 netmask 255.255.255.255

Does this make sense ?

Jon

francisco_1 Tue, 06/16/2009 - 01:15

static (inside,outside) [This should be your public ip address range on the outside interface] [this should be your inside ip address behind your inside interface] netmask 255.255.255.255

suggest your post your configuration.

Actions

This Discussion