Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Moving connection from ASA5520 DMZ to ASA5505 outside

I am moving Vendor B connection from a DMZ port on Loc1ASA5520 to the outside interface on Loc25505. I believe I am duplicating the configuration However, it does not seem to be working properly.

I have the following global NAT configured

global (outside) 1 192.168.1.3 netmask 255.255.255.255

nat (inside) 1 192.168.2.1 255.255.255.255

nat (inside) 1 192.168.2.2 255.255.255.255

nat (inside) 1 192.168.2.3 255.255.255.255

I do not have Access-list on outside since no traffic should originate from outside

Would the outside configuration differ from a DMZ configuration?

Let me know if you need more info?

Outside is 192.168.1.2 255.255.255.0

Inside is 192.168.2.254 255.255.255.0

6 REPLIES

Re: Moving connection from ASA5520 DMZ to ASA5505 outside

Well, according to your outside and inside configuration, this won't work. The nat(inside) commands don't reference a 192.168.2.254 address to go out on. I'm not sure what's not working, but if it's internet access, or any traffic originating from the inside, try adding:

nat (inside) 1 192.168.2.254 255.255.255.255

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Moving connection from ASA5520 DMZ to ASA5505 outside

sorry 192.168.2.254 is IP address on my inside interface.

192.168.2.1 is my first inside host trying to access vendor network and it should translate to 192.168.1.3

Re: Moving connection from ASA5520 DMZ to ASA5505 outside

Can you post a diagram of your topology?

HTH, John *** Please rate all useful posts ***
New Member

Re: Moving connection from ASA5520 DMZ to ASA5505 outside

I have attached a basic diagram.

I think I figured something out.

I had a netmask after my global nat

Re: Moving connection from ASA5520 DMZ to ASA5505 outside

Ah, yeah, you could take that off and see if it works. (Although I'm sure you've done that already.) :)

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Moving connection from ASA5520 DMZ to ASA5505 outside

Removing the netmask from the global NAT fixed the issue.

Thanks for your help.

Tom

142
Views
3
Helpful
6
Replies
CreatePlease to create content