Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
3
Replies

ASA 5505 Identity NAT

ukgrid1977
Level 1
Level 1

‎06-16-2009 01:03 AM - edited ‎03-11-2019 08:43 AM

Hi,

I'm having issues with static identity NAT on an ASA 5505.

We use VLAN 2 for the outside interface and VLAN1 for the inside. The outside WAN is connected to Eth 0/0 and the inside to Eth 0/1. Then we have created 1 to 1 static identity NAT statements for each of the two servers. However I'm now unsure how this will work

in terms of the VLAN configuration on the ASA. If we put the inside interface into VLAN2 we can ping the IPs of the servers however as they are in the same security level as the outside interface no filtering takes place, even when we remove "same-security-traffic inter-interface"

Then if we add the inside interface to VLAN 1 the connection breaks as traffic is not being routed between the VLANs

e.g.

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface Vlan1

nameif inside

security-level 100

no ip address

!

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

static (inside,outside) 1.1.1.3 1.1.1.3 netmask 255.255.255.255

!

!

interface Ethernet0/0

description Outside Interface

switchport access vlan 2

speed 10

duplex full

!

!

interface Ethernet0/1

description Servers

switchport access vlan 2

!

access-list ouside blah......

Any ideas would help, thanks!

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎06-16-2009 01:07 AM

Patrick

If 1.1.1.0/24 is the outside interface address then what is the IP subnet for vlan 1. You don't have an IP address assigned to vlan 1 ie. -

nterface Vlan1

nameif inside

security-level 100

no ip address

Also you static statements -

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

but 1.1.1.2 is on the outside not the inside. What i would expect to see is eg.

vlan 1 subnet = 2.2.2.0/24

static (inside,outside) 2.2.2.2 2.2.2.2 netmask 255.255.255.255

Does this make sense ?

Jon

0 Helpful

francisco_1
Level 7
Level 7
In response to Jon Marshall

‎06-16-2009 01:15 AM

static (inside,outside) [This should be your public ip address range on the outside interface] [this should be your inside ip address behind your inside interface] netmask 255.255.255.255

suggest your post your configuration.

0 Helpful

ukgrid1977
Level 1
Level 1
In response to Jon Marshall

‎06-16-2009 01:28 AM

Hi Jon,

Yes it does, thanks.

Rgds

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card