Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
5
Helpful
4
Replies

Bidirectional NAT works, but.....

opers13
Level 1
Level 1

‎06-16-2009 01:50 AM - edited ‎03-11-2019 08:43 AM

with my last post, I got bidirectional nat to work from outside -> inside. Config below:

global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside

Now, the problem is getting NAT to work from inside -> outside. This is the error message:

%ASA-3-305005: No translation group found for icmp src inside:10.153.13.18 dst....

So when I config the following everything breaks: (meaning NAT in any direction stops working)

global (outside) 1 interface

nat (inside) 1 10.153.0.0 255.255.0.0

nat-control is disabled.

thanks in advance!

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎06-16-2009 02:06 AM

Alex

global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside

this not bi-directional NAT. What it does is translate any incoming 10.148.12.x address on the outside to 10.153.99.1 on the inside

Regardless, i'm not sure why your'e other nat is not working.

Try

1) removing both NAT statements. Then apply

nat (inside) 1 10.153.0.0 255.255.0.0

global (outside) 1 interface

and then

global (inside) 99 10.153.99.1

nat (outside) 99 10.148.12.0 255.255.255.0 outside

Don't forget to do a clear xlate when you make NAT changes.

Also your ping, what device are you pinging and is it located on the outside of the ASA ?

Jon

Jon

0 Helpful

opers13
Level 1
Level 1
In response to Jon Marshall

‎06-16-2009 02:17 AM

Hi Jon, below is from cisco.com

"outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT."

anyway, you think by applying the statements in different order could be the issue? I'm trying to ping a device on the outside.

I will give it a try..thanks!

Jon Marshall
Hall of Fame
Hall of Fame
In response to opers13

‎06-16-2009 02:22 AM

Alex

I stand corrected :-) - +5

Jon

0 Helpful

opers13
Level 1
Level 1
In response to Jon Marshall

‎06-22-2009 10:52 AM

Jon,

got this to work with the following:

Enabled same-security level:

same-security-traffic permit inter-interface

Changed security-level from 0 to 100

interface Ethernet0/2

speed 100

duplex full

nameif test

security-level 100

ip address 10.153.0.205 255.255.255.252

Added NAT 0:

nat (test) 0 access-list nonat

access-list nonat extended permit ip any any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card