ASA 5505 and some strange configuration

Unanswered Question
Jan 28th, 2010
User Badges:

Hi.

I'm trying to set up a ASA 5505 with some kind of strange nat.

This is the situation right now:



net inside------------------------------------[ASA 5505]------------------------------------------[ISP router]

(192.1.2.0/24)                      192.1.2.253            |        75.XXX.XXX.61            75.XXX.XXX.57

                                                                            |

                                                                            |

                                                                            |
                                                                 [cisco device]-------------------------net vpn

                                                                                                                  (192.168.200.0/24)



Between the cisco device and my asa there's a vpn and it's working great.

What i wanted to do was to nat everything coming from the net vpn (192.168.200.0/24) to the inside interface on the ASA.

I did it and it works.

But what i cannot make it to work, is that from my net (192.1.2.0/24) i cannot ping any host on the nt vpn  (192.168.200.0/24).


On the config i did so:


access-list nonat extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_crypto_map_20 extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0

global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 192.168.200.0 255.255.255.0 outside


Thanks for the help.

Pier

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pudawat Thu, 01/28/2010 - 17:04
User Badges:

It seems that you are using OUTSIDE NAT to PA all the traffic coming from client network 192.168.200.x to inside interface IP.


Whenever any host from 192.168.200.x network initiates connx to inside network an XLATE entry is created in the firewall and client can access anything on the inside network since firewall is a stateful device.


But if someone tries to initiate connx from inside network to client n/w 192.168.200.x .It cannot find the ip based on port based translations so it will work only one way!


Regards,

Pradhuman

pierguido75 Thu, 01/28/2010 - 23:24
User Badges:

Thank you...that was what i was thinking too.

But if something is coming from the inside net, shoudn't it match the nat 0 access-list?

And then don't apply nat on those packets?



Pier

Actions

This Discussion