ASA 5505 and some strange configuration

Unanswered Question
Jan 28th, 2010

Hi.

I'm trying to set up a ASA 5505 with some kind of strange nat.

This is the situation right now:


net inside------------------------------------[ASA 5505]------------------------------------------[ISP router]

(192.1.2.0/24)                      192.1.2.253            |        75.XXX.XXX.61            75.XXX.XXX.57

                                                                            |

                                                                            |

                                                                            |
                                                                 [cisco device]-------------------------net vpn

                                                                                                                  (192.168.200.0/24)


Between the cisco device and my asa there's a vpn and it's working great.

What i wanted to do was to nat everything coming from the net vpn (192.168.200.0/24) to the inside interface on the ASA.

I did it and it works.

But what i cannot make it to work, is that from my net (192.1.2.0/24) i cannot ping any host on the nt vpn  (192.168.200.0/24).


On the config i did so:

access-list nonat extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_crypto_map_20 extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0

global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 192.168.200.0 255.255.255.0 outside

Thanks for the help.

Pier

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pudawat Thu, 01/28/2010 - 17:04

It seems that you are using OUTSIDE NAT to PA all the traffic coming from client network 192.168.200.x to inside interface IP.

Whenever any host from 192.168.200.x network initiates connx to inside network an XLATE entry is created in the firewall and client can access anything on the inside network since firewall is a stateful device.

But if someone tries to initiate connx from inside network to client n/w 192.168.200.x .It cannot find the ip based on port based translations so it will work only one way!

Regards,

Pradhuman

pierguido75 Thu, 01/28/2010 - 23:24

Thank you...that was what i was thinking too.

But if something is coming from the inside net, shoudn't it match the nat 0 access-list?

And then don't apply nat on those packets?


Pier

Actions

This Discussion

Related Content