×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Interface to interface NAT exemption and access

Unanswered Question
Jul 20th, 2006
User Badges:

Hi,


I've got an ASA5520 7.0(4) and I'm trying to get two interfaces to talk to each other without NAT


interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.99.36.4 255.255.252.0

!

interface GigabitEthernet0/0.1

vlan 10

nameif insidevoice

security-level 90

ip address 10.99.60.4 255.255.252.0


I don't have ant static entries defined for these interfaces and I feel this is what I'm missing but don't understand the context I need for them.


access-list nonatvoice extended permit ip object-group godalmingvnet object-group godalmingnet


object-group network godalmingnet

description network godalming

network-object 10.99.36.0 255.255.252.0


object-group network godalmingvnet

description voice network godalming

network-object 10.99.60.0 255.255.252.0


nat 0 (insidevoice) access-list nonatvoice


Thats all the config I believe is relevant for the interfaces - can anyone help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
grant.maynard Thu, 07/20/2006 - 04:17
User Badges:
  • Silver, 250 points or more

Always think of the basic rules of PIX NAT:

high security -> low (e.g. inside users surfing internet) you need nat&global.

low security -> high (e.g. external access to sa mail server) you need static (& ACL).


no_NAT makes it more complicated but you could do this in one of three ways:


access-list nonatvoice extended permit ip object-group godalmingnet object-group godalmingvnet

nat 0 (inside) access-list nonatvoice

or

static (inside,insidevoice) 10.99.60.0 10.99.60.0 netmask 255.255.252.0 0 100

or you could turn off NAT:

no nat-control


check the command ref at http://www.cisco.com/en/US/products/ps6120/products_command_reference_book09186a00805fbad6.html for that last one, it might come in very handy.

Actions

This Discussion