Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Identity NAT

Hi,

I'm having issues with static identity NAT on an ASA 5505.

We use VLAN 2 for the outside interface and VLAN1 for the inside. The outside WAN is connected to Eth 0/0 and the inside to Eth 0/1. Then we have created 1 to 1 static identity NAT statements for each of the two servers. However I'm now unsure how this will work

in terms of the VLAN configuration on the ASA. If we put the inside interface into VLAN2 we can ping the IPs of the servers however as they are in the same security level as the outside interface no filtering takes place, even when we remove "same-security-traffic inter-interface"

Then if we add the inside interface to VLAN 1 the connection breaks as traffic is not being routed between the VLANs

e.g.

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface Vlan1

nameif inside

security-level 100

no ip address

!

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

static (inside,outside) 1.1.1.3 1.1.1.3 netmask 255.255.255.255

!

!

interface Ethernet0/0

description Outside Interface

switchport access vlan 2

speed 10

duplex full

!

!

interface Ethernet0/1

description Servers

switchport access vlan 2

!

access-list ouside blah......

Any ideas would help, thanks!

3 REPLIES
Hall of Fame Super Blue

Re: ASA 5505 Identity NAT

Patrick

If 1.1.1.0/24 is the outside interface address then what is the IP subnet for vlan 1. You don't have an IP address assigned to vlan 1 ie. -

nterface Vlan1

nameif inside

security-level 100

no ip address

Also you static statements -

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

but 1.1.1.2 is on the outside not the inside. What i would expect to see is eg.

vlan 1 subnet = 2.2.2.0/24

static (inside,outside) 2.2.2.2 2.2.2.2 netmask 255.255.255.255

Does this make sense ?

Jon

Re: ASA 5505 Identity NAT

static (inside,outside) [This should be your public ip address range on the outside interface] [this should be your inside ip address behind your inside interface] netmask 255.255.255.255

suggest your post your configuration.

New Member

Re: ASA 5505 Identity NAT

Hi Jon,

Yes it does, thanks.

Rgds

255
Views
0
Helpful
3
Replies