cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
904
Views
0
Helpful
6
Replies

NAT and ASA 5505

KpaH4iTooo
Level 1
Level 1

Hi, I tring to pass from 192.168.202.77 (VLAN1) to web interface 192.168.20.12(VLAN4)

Here is a configuration

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.202.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ***.***.***.*** 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Vlan4
nameif wi-fi
security-level 60
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

...

access-list inside_access_in extended permit tcp host 192.168.202.77 host 192.168.20.12
access-list wi-fi extended permit tcp host 192.168.20.12 host 192.168.202.77
...
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group wi-fi in interface wi-fi
...
static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255
...

Tell me please, what is the problem?

6 Replies 6

Jithesh K Joy
Level 1
Level 1

HI,

   If you want to access 192.168.20.12 from  192.168.202.77   the static identity  NAT can be used  instead of the present static NAt config

static (inside,wi-fi) 192.168.202.77  192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.20.12  192.168.20.12 netmask 255.255.255.255

Regards

Joy

Jennifer Halim
Cisco Employee
Cisco Employee

These lines are incorrect statements:

static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255

Please remove the above statement, and configure the following:

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

Please perform "clear xlate" after configuring the above.

If you are testing by ping, you might want to check if "inspect icmp" has been turned on.

Hope that helps.

Hi halijenn,

  Destination NAT

static (wi-fi,inside) 192.168.20.12  192.168.20.12 netmask 255.255.255.255 is required to reach  192.168.20.12  ?

Regards

Jithesh

No. Just this line

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

is good enough.  This is bi-directional.  With this line inside host 192.168.202.77 can initiate connection to anyone in the wi-fi interface and wi-fi can initiate connection to 192.168.202.77 provided the acl applied on the wi-fi interface allows it.

-KS

Lunzhicheng7
Level 1
Level 1

Hi , there

Firstly, it seems such configuration “static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255” is unnecessary.

Secondly, you need to add an access-list permit the traffic which destination direct to your Nated address 192.168.20.12

For example : ” access-list out permit tcp any host 192.168.20.12”

I hope my suggestion is helpful

   Regards

Fox Mulder

KpaH4iTooo
Level 1
Level 1

Hi,

Thank you all for answers!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: