nat between inside & outside

Answered Question
Jul 31st, 2013
User Badges:

Hi,


We have an ASA connected to an external switch connecting two different networks. I have query if we need to put any kind of nat statement for traffic between internal & external network. The brief network flow is ;


User Network > Cisco 3560 > ASA > Cisco 3750X-Core switch > Vlan 16


User Network: 172.16.20.0/24

Vlan 16: 192.168.100.0/24


On Cisco 3750X-Core, there is a default route for traffic towards 172.16.20.0/24 network. Similarly, on the 3560 there is a route for traffic towards Vlan 16 pointing to the ASA interface.


Following are ASA 5585details;

Inside interface : INSIDE ( facing towards the 3750X Core )

Outside interface: OUTSIDE ( facing towards the 3560 switch )


There is no nat configured on ASA & same security traffic is permitted. Do we actually need any nat statement between inside & outside interfaces for this traffic to flow properly.


Appreciate all inputs.

Correct Answer by Marvin Rhoads about 4 years 2 weeks ago

You don't need to NAT if the 192.168.100.0/24 (and upstream networks - that static route needs to be redistributed into any dynamic routing protocols on the 3750X) can properly route to your 172.16.20.0/24 network.


I would ask if INSIDE and OUTSIDE are set to same security level, what are you actually firewalling?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
Marvin Rhoads Wed, 07/31/2013 - 22:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You don't need to NAT if the 192.168.100.0/24 (and upstream networks - that static route needs to be redistributed into any dynamic routing protocols on the 3750X) can properly route to your 172.16.20.0/24 network.


I would ask if INSIDE and OUTSIDE are set to same security level, what are you actually firewalling?

suthomas1 Wed, 07/31/2013 - 22:30
User Badges:

Thanks.

Apologies, forgot to mention the security levels.


Inside is on security level 100 & Outside on level 0. Do i still need any nat in this case, due to differing security levels when traffic flows across these interfaces.

Marvin Rhoads Wed, 07/31/2013 - 22:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Traffic will flow from higher security to lower security (INSIDE to OUTSIDE) by default. Those do not in and of themselves require NAT.


Return traffic will be allowed due to there being an existing connection.


OUTSIDE-orginated traffic will require an ACL permitting it. Still no NAT necessary though.

suthomas1 Wed, 07/31/2013 - 22:42
User Badges:

Thanks.

Strangely, the traffic flow is fine. But we can't seem to ping the user network 172.16.20.0/24 from within the 3750-X core.


The ASA & 3560 is connected by a /30 link which is 172.16.15.0/30.

ASA side has 172.16.15.2 & 3560 interface facing ASA has 172.16.15.1.


We are unable to ping ASA interface 172.16.15.2 from within the 3560.

Outside originated traffic has an ACL permitting them in.


Appreciate help on this.

Marvin Rhoads Wed, 07/31/2013 - 22:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

By default an ASA outside interface will not respond to ping (icmp echo request). That requires something like:


ASA(config)#access-list ACL-OUTSIDE extended permit icmp any any

ASA(config)#access-group ACL-OUTSIDE in interface outside


For your pings to the user network, first check if they are being received at the ASA (packet capture tool). If they are, check if they are allowed though (packet tracer tool).

Actions

This Discussion