ASA 5505 Identity NAT

Unanswered Question
Jun 16th, 2009
User Badges:

Hi,


I'm having issues with static identity NAT on an ASA 5505.


We use VLAN 2 for the outside interface and VLAN1 for the inside. The outside WAN is connected to Eth 0/0 and the inside to Eth 0/1. Then we have created 1 to 1 static identity NAT statements for each of the two servers. However I'm now unsure how this will work

in terms of the VLAN configuration on the ASA. If we put the inside interface into VLAN2 we can ping the IPs of the servers however as they are in the same security level as the outside interface no filtering takes place, even when we remove "same-security-traffic inter-interface"


Then if we add the inside interface to VLAN 1 the connection breaks as traffic is not being routed between the VLANs


e.g.

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface Vlan1

nameif inside

security-level 100

no ip address

!

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

static (inside,outside) 1.1.1.3 1.1.1.3 netmask 255.255.255.255

!

!

interface Ethernet0/0

description Outside Interface

switchport access vlan 2

speed 10

duplex full

!

!

interface Ethernet0/1

description Servers

switchport access vlan 2

!

access-list ouside blah......


Any ideas would help, thanks!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 06/16/2009 - 01:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Patrick


If 1.1.1.0/24 is the outside interface address then what is the IP subnet for vlan 1. You don't have an IP address assigned to vlan 1 ie. -


nterface Vlan1

nameif inside

security-level 100

no ip address


Also you static statements -


static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255


but 1.1.1.2 is on the outside not the inside. What i would expect to see is eg.


vlan 1 subnet = 2.2.2.0/24


static (inside,outside) 2.2.2.2 2.2.2.2 netmask 255.255.255.255


Does this make sense ?


Jon

francisco_1 Tue, 06/16/2009 - 01:15
User Badges:
  • Gold, 750 points or more

static (inside,outside) [This should be your public ip address range on the outside interface] [this should be your inside ip address behind your inside interface] netmask 255.255.255.255


suggest your post your configuration.

Actions

This Discussion