Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cannot get Alias or Static NAT inside to work

ok, so I have a web server with an internal IP of 10.x.x.x and it has a static NAT to the outside with a public 216.x.x.x address on the ASA - my internal hosts cannot access it via the public address. so I tried to nat it like this

static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255

and it did not work

so I did

alias (inside) 216.x.x.x 10.x.x.x 255.255.255.255

and I can ping it from an inside host, but still cannot access http://216.x.x.x - when I ping 216.x.x.x it replies with 10.x.x.x address

if I put http://10.x.x.x it works fine

it is an ASA 5510 Security+ on 8.21

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Cannot get Alias or Static NAT inside to work

same-security-traffic permit intra-interface

static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

8 REPLIES
Green

Re: Cannot get Alias or Static NAT inside to work

same-security-traffic permit intra-interface

static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

Community Member

Re: Cannot get Alias or Static NAT inside to work

ok, the static command works to replace the alias, I had the same security permit intra and inter interface, changed the inside nat pool from 0 to 1 and it is working I can ping and http

will this affect my outbound identity addresses? like if I have a web filter outside the ASA will it now see all traffic coming from the ASA interface instead of the identity of the client PC?

I wasn't doing any NAT overload on the ASA, there is a router from the ISP doing that from their IP pool. I was just doing identity nat

Green

Re: Cannot get Alias or Static NAT inside to work

"will this affect my outbound identity addresses?"

-No. Only traffic from inside to inside is affected.

Community Member

Re: Cannot get Alias or Static NAT inside to work

I spoke too soon - it broke my internet for inside hosts, I changed it back to nat pool 0 and internet works, but of course now I cant talk to the server

Green

Re: Cannot get Alias or Static NAT inside to work

Post your nat/global config please.

You should be able to leave your existing nat 0 then add...

nat (inside) 1 0 0

global (inside) 1 interface

Community Member

Re: Cannot get Alias or Static NAT inside to work

global (inside) 1 interface

nat (management) 0 0.0.0.0 0.0.0.0

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,outside) 216.x.x.x 10.17.1.42 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.45 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.43 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.46 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.44 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.33 netmask 255.255.255.255

static (inside,inside) 216.x.x.x 10.17.1.42 netmask 255.255.255.255

if I change to

nat (inside) 1 0 0

I can't get to the internet on any hosts that don't have a static, I don't really want to overload on my outside interface on the ASA because I have a fatpipe for load balancing outside the asa and a web filter.

Community Member

Re: Cannot get Alias or Static NAT inside to work

it wont take

nat (inside) 1 0 0

says 'duplicate nat entry'

Community Member

Re: Cannot get Alias or Static NAT inside to work

ok so I solved it, just created an access list permitting ip to that server, then natted the pool 1 to that acl, works fine

thanks for all the help

290
Views
0
Helpful
8
Replies
CreatePlease to create content