Moving connection from ASA5520 DMZ to ASA5505 outside

thomuff · ‎04-30-2009

I am moving Vendor B connection from a DMZ port on Loc1ASA5520 to the outside interface on Loc25505. I believe I am duplicating the configuration However, it does not seem to be working properly.

I have the following global NAT configured

global (outside) 1 192.168.1.3 netmask 255.255.255.255

nat (inside) 1 192.168.2.1 255.255.255.255

nat (inside) 1 192.168.2.2 255.255.255.255

nat (inside) 1 192.168.2.3 255.255.255.255

I do not have Access-list on outside since no traffic should originate from outside

Would the outside configuration differ from a DMZ configuration?

Let me know if you need more info?

Outside is 192.168.1.2 255.255.255.0

Inside is 192.168.2.254 255.255.255.0

John Blakley · ‎04-30-2009

Well, according to your outside and inside configuration, this won't work. The nat(inside) commands don't reference a 192.168.2.254 address to go out on. I'm not sure what's not working, but if it's internet access, or any traffic originating from the inside, try adding:

nat (inside) 1 192.168.2.254 255.255.255.255

HTH,

John

HTH, John *** Please rate all useful posts ***

thomuff · ‎04-30-2009

sorry 192.168.2.254 is IP address on my inside interface.

192.168.2.1 is my first inside host trying to access vendor network and it should translate to 192.168.1.3

John Blakley · ‎04-30-2009

Can you post a diagram of your topology?

HTH, John *** Please rate all useful posts ***

thomuff · ‎04-30-2009

I have attached a basic diagram.

I think I figured something out.

I had a netmask after my global nat

John Blakley · ‎04-30-2009

Ah, yeah, you could take that off and see if it works. (Although I'm sure you've done that already.) :)

John

HTH, John *** Please rate all useful posts ***

thomuff · ‎05-01-2009

Removing the netmask from the global NAT fixed the issue.

Thanks for your help.

Tom