NAT and ASA 5505

Unanswered Question
Mar 26th, 2010

Hi, I tring to pass from 192.168.202.77 (VLAN1) to web interface 192.168.20.12(VLAN4)

Here is a configuration

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.202.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ***.***.***.*** 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Vlan4
nameif wi-fi
security-level 60
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

...

access-list inside_access_in extended permit tcp host 192.168.202.77 host 192.168.20.12
access-list wi-fi extended permit tcp host 192.168.20.12 host 192.168.202.77
...
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group wi-fi in interface wi-fi
...
static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255
...

Tell me please, what is the problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jithesh K Joy Fri, 03/26/2010 - 08:03

HI,

   If you want to access 192.168.20.12 from  192.168.202.77   the static identity  NAT can be used  instead of the present static NAt config

static (inside,wi-fi) 192.168.202.77  192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.20.12  192.168.20.12 netmask 255.255.255.255

Regards

Joy

Jennifer Halim Fri, 03/26/2010 - 15:20

These lines are incorrect statements:

static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255

Please remove the above statement, and configure the following:

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

Please perform "clear xlate" after configuring the above.

If you are testing by ping, you might want to check if "inspect icmp" has been turned on.

Hope that helps.

Jithesh K Joy Mon, 03/29/2010 - 07:23

Hi halijenn,

  Destination NAT

static (wi-fi,inside) 192.168.20.12  192.168.20.12 netmask 255.255.255.255 is required to reach  192.168.20.12  ?

Regards

Jithesh

Kureli Sankar Mon, 03/29/2010 - 08:01

No. Just this line

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

is good enough.  This is bi-directional.  With this line inside host 192.168.202.77 can initiate connection to anyone in the wi-fi interface and wi-fi can initiate connection to 192.168.202.77 provided the acl applied on the wi-fi interface allows it.

-KS

Lunzhicheng7 Mon, 03/29/2010 - 20:07

Hi , there

Firstly, it seems such configuration “static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255” is unnecessary.

Secondly, you need to add an access-list permit the traffic which destination direct to your Nated address 192.168.20.12

For example : ” access-list out permit tcp any host 192.168.20.12”

I hope my suggestion is helpful

   Regards

Fox Mulder

Actions

This Discussion