06-16-2009 01:03 AM - edited 03-11-2019 08:43 AM
Hi,
I'm having issues with static identity NAT on an ASA 5505.
We use VLAN 2 for the outside interface and VLAN1 for the inside. The outside WAN is connected to Eth 0/0 and the inside to Eth 0/1. Then we have created 1 to 1 static identity NAT statements for each of the two servers. However I'm now unsure how this will work
in terms of the VLAN configuration on the ASA. If we put the inside interface into VLAN2 we can ping the IPs of the servers however as they are in the same security level as the outside interface no filtering takes place, even when we remove "same-security-traffic inter-interface"
Then if we add the inside interface to VLAN 1 the connection breaks as traffic is not being routed between the VLANs
e.g.
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Vlan1
nameif inside
security-level 100
no ip address
!
static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255
static (inside,outside) 1.1.1.3 1.1.1.3 netmask 255.255.255.255
!
!
interface Ethernet0/0
description Outside Interface
switchport access vlan 2
speed 10
duplex full
!
!
interface Ethernet0/1
description Servers
switchport access vlan 2
!
access-list ouside blah......
Any ideas would help, thanks!
06-16-2009 01:07 AM
Patrick
If 1.1.1.0/24 is the outside interface address then what is the IP subnet for vlan 1. You don't have an IP address assigned to vlan 1 ie. -
nterface Vlan1
nameif inside
security-level 100
no ip address
Also you static statements -
static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255
but 1.1.1.2 is on the outside not the inside. What i would expect to see is eg.
vlan 1 subnet = 2.2.2.0/24
static (inside,outside) 2.2.2.2 2.2.2.2 netmask 255.255.255.255
Does this make sense ?
Jon
06-16-2009 01:15 AM
static (inside,outside) [This should be your public ip address range on the outside interface] [this should be your inside ip address behind your inside interface] netmask 255.255.255.255
suggest your post your configuration.
06-16-2009 01:28 AM
Hi Jon,
Yes it does, thanks.
Rgds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide