NAT and ASA 5505

Unanswered Question
Mar 26th, 2010

Hi, I tring to pass from (VLAN1) to web interface

Here is a configuration

interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address ***.***.***.***
interface Vlan3
nameif dmz
security-level 50
no ip address
interface Vlan4
nameif wi-fi
security-level 60
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7


access-list inside_access_in extended permit tcp host host
access-list wi-fi extended permit tcp host host
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group wi-fi in interface wi-fi
static (inside,wi-fi) netmask
static (wi-fi,inside) netmask

Tell me please, what is the problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jithesh K Joy Fri, 03/26/2010 - 08:03


   If you want to access from   the static identity  NAT can be used  instead of the present static NAt config

static (inside,wi-fi) netmask
static (wi-fi,inside) netmask



Jennifer Halim Fri, 03/26/2010 - 15:20

These lines are incorrect statements:

static (inside,wi-fi) netmask
static (wi-fi,inside) netmask

Please remove the above statement, and configure the following:

static (inside,wi-fi) netmask

Please perform "clear xlate" after configuring the above.

If you are testing by ping, you might want to check if "inspect icmp" has been turned on.

Hope that helps.

Jithesh K Joy Mon, 03/29/2010 - 07:23

Hi halijenn,

  Destination NAT

static (wi-fi,inside) netmask is required to reach  ?



Kureli Sankar Mon, 03/29/2010 - 08:01

No. Just this line

static (inside,wi-fi) netmask

is good enough.  This is bi-directional.  With this line inside host can initiate connection to anyone in the wi-fi interface and wi-fi can initiate connection to provided the acl applied on the wi-fi interface allows it.


Lunzhicheng7 Mon, 03/29/2010 - 20:07

Hi , there

Firstly, it seems such configuration “static (wi-fi,inside) netmask” is unnecessary.

Secondly, you need to add an access-list permit the traffic which destination direct to your Nated address

For example : ” access-list out permit tcp any host”

I hope my suggestion is helpful


Fox Mulder


This Discussion