01-28-2010 09:52 AM
Hi.
I'm trying to set up a ASA 5505 with some kind of strange nat.
This is the situation right now:
net inside------------------------------------[ASA 5505]------------------------------------------[ISP router]
(192.1.2.0/24) 192.1.2.253 | 75.XXX.XXX.61 75.XXX.XXX.57
|
|
|
[cisco device]-------------------------net vpn
(192.168.200.0/24)
Between the cisco device and my asa there's a vpn and it's working great.
What i wanted to do was to nat everything coming from the net vpn (192.168.200.0/24) to the inside interface on the ASA.
I did it and it works.
But what i cannot make it to work, is that from my net (192.1.2.0/24) i cannot ping any host on the nt vpn (192.168.200.0/24).
On the config i did so:
access-list nonat extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_crypto_map_20 extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 192.168.200.0 255.255.255.0 outside
Thanks for the help.
Pier
01-28-2010 05:04 PM
It seems that you are using OUTSIDE NAT to PA all the traffic coming from client network 192.168.200.x to inside interface IP.
Whenever any host from 192.168.200.x network initiates connx to inside network an XLATE entry is created in the firewall and client can access anything on the inside network since firewall is a stateful device.
But if someone tries to initiate connx from inside network to client n/w 192.168.200.x .It cannot find the ip based on port based translations so it will work only one way!
Regards,
Pradhuman
01-28-2010 11:24 PM
Thank you...that was what i was thinking too.
But if something is coming from the inside net, shoudn't it match the nat 0 access-list?
And then don't apply nat on those packets?
Pier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide