Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
1
Replies

ASA quit passing traffic

Go to solution
tsrader
Level 1
Level 1

‎09-16-2013 04:52 AM - edited ‎03-11-2019 07:38 PM

Inside to Outside can ping no problem

Outside to Inside CANNOT ping host.

Requirement is for outside host to be able to access inisde host.   (tcp / icmp, etc)

I am missing something on the firewall.

Relevant configs attached.

Thanks for any assistance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-16-2013 06:09 AM

Hi,

You have Dynamic PAT configured for traffic initiated from behind "inside" to "outside"

You however do not have any Static NAT or NAT0 configured that would make it possible for a host on the "outside" to initiate a connection to a host behind the "inside".

With the current firewall configuration it wont be possible to initiate a connection in the direction you have described.

So I guess you would have to either remove any kind of NAT from the firewall OR configure Static NAT for the hosts behind "inside".

You seem to have Default Route on both Routers pointing towards the ASA interface IP address. This would mean you could use any IP address space as the NAT IP address towards the "outside" interface and the traffic should be forwarded correctly to the ASA "outside" interface.

To configure Static NAT for a host on the "inside" to the "outside" you could use the following configuration format

static (inside,outside) netmask 255.255.255.255

Then by targeting the NAT IP address you should be able to form connections to the host you configured Static NAT.

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-16-2013 06:09 AM

Hi,

You have Dynamic PAT configured for traffic initiated from behind "inside" to "outside"

You however do not have any Static NAT or NAT0 configured that would make it possible for a host on the "outside" to initiate a connection to a host behind the "inside".

With the current firewall configuration it wont be possible to initiate a connection in the direction you have described.

So I guess you would have to either remove any kind of NAT from the firewall OR configure Static NAT for the hosts behind "inside".

You seem to have Default Route on both Routers pointing towards the ASA interface IP address. This would mean you could use any IP address space as the NAT IP address towards the "outside" interface and the traffic should be forwarded correctly to the ASA "outside" interface.

To configure Static NAT for a host on the "inside" to the "outside" you could use the following configuration format

static (inside,outside) netmask 255.255.255.255

Then by targeting the NAT IP address you should be able to form connections to the host you configured Static NAT.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card