Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-FWSM NAT (Low,High) issue/Concept

Hello All,

We run into NAT issue when we configure NAT on our  ASA and FWSM (low,high).

The request is came in reverse way, where our servers is located on zone with low security level while the Clients located at High security zone.

to make the topolog very easy, the firewall contains two interfaces, inside and outside only,

while the servers located at (outside) 10.0.0.0/24 and Clients at (inside) 192.168.0.0/24, thus to allow Client to access the server we configure reverse static nat for the server:

=================

Server: 10.0.0.2/32

Client: 192.168.0.2/32

Inside/outside  ACL: permit IP any any / ICMP any any

================

!

nat-control

!

static (outside,inside) 192.168.0.100 10.0.0.2 netmask 255.255.255.255

!

because Nat-control is on, i need to configure nat back to outside from inside, either static or nat exemption, we choice second one.

!

the logic is is to configure the access list seem to be like this:

access-list nonat-inside extended permit ip host 192.168.0.2 host 192.168.0.100

nat (inside) 0 access-list nonat-inside

!

Here is the issue pop up, when we test ping from Client to server,  it  does not work and we got this error that mean no reverse transulation is there:

"No translation group found for icmp src inside:192.168.0.2 dst outside:192.168.0.100",

then we replace the access-list to be from Real Client IP to Real Server IP and it work:

access-list nonat-inside extended permit ip host 192.168.0.2 host 10.0.0.2

nat (inside) 0 access-list nonat-inside

Now 2-way communication is working.

the test done to configure this in production FWSM, the FWSM work with first ACL which is logic not the second.

first test done on ASA running on GNS 8.0, thus to confirm we use (Physical) ASA 5505 and replicate the same configureation.

can any one advice if this Normal for ASA and FWSM or not.

tested on:

GNS ASA:  ASA5520 (8.0)

ASA 5505 (8.2)

FWSM: 3.2

thanks alot.

Mohamed.

Everyone's tags (2)
230
Views
0
Helpful
0
Replies