06-16-2009 01:50 AM - edited 03-11-2019 08:43 AM
with my last post, I got bidirectional nat to work from outside -> inside. Config below:
global (inside) 99 10.153.99.1
nat (outside) 99 10.148.12.0 255.255.255.0 outside
Now, the problem is getting NAT to work from inside -> outside. This is the error message:
%ASA-3-305005: No translation group found for icmp src inside:10.153.13.18 dst....
So when I config the following everything breaks: (meaning NAT in any direction stops working)
global (outside) 1 interface
nat (inside) 1 10.153.0.0 255.255.0.0
nat-control is disabled.
thanks in advance!
06-16-2009 02:06 AM
Alex
global (inside) 99 10.153.99.1
nat (outside) 99 10.148.12.0 255.255.255.0 outside
this not bi-directional NAT. What it does is translate any incoming 10.148.12.x address on the outside to 10.153.99.1 on the inside
Regardless, i'm not sure why your'e other nat is not working.
Try
1) removing both NAT statements. Then apply
nat (inside) 1 10.153.0.0 255.255.0.0
global (outside) 1 interface
and then
global (inside) 99 10.153.99.1
nat (outside) 99 10.148.12.0 255.255.255.0 outside
Don't forget to do a clear xlate when you make NAT changes.
Also your ping, what device are you pinging and is it located on the outside of the ASA ?
Jon
Jon
06-16-2009 02:17 AM
Hi Jon, below is from cisco.com
"outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT."
anyway, you think by applying the statements in different order could be the issue? I'm trying to ping a device on the outside.
I will give it a try..thanks!
06-16-2009 02:22 AM
Alex
I stand corrected :-) - +5
Jon
06-22-2009 10:52 AM
Jon,
got this to work with the following:
Enabled same-security level:
same-security-traffic permit inter-interface
Changed security-level from 0 to 100
interface Ethernet0/2
speed 100
duplex full
nameif test
security-level 100
ip address 10.153.0.205 255.255.255.252
Added NAT 0:
nat (test) 0 access-list nonat
access-list nonat extended permit ip any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: