Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT and ASA 5505

Hi, I tring to pass from 192.168.202.77 (VLAN1) to web interface 192.168.20.12(VLAN4)

Here is a configuration

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.202.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ***.***.***.*** 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Vlan4
nameif wi-fi
security-level 60
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

...

access-list inside_access_in extended permit tcp host 192.168.202.77 host 192.168.20.12
access-list wi-fi extended permit tcp host 192.168.20.12 host 192.168.202.77
...
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group wi-fi in interface wi-fi
...
static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255
...

Tell me please, what is the problem?

6 REPLIES
New Member

Re: NAT and ASA 5505

HI,

   If you want to access 192.168.20.12 from  192.168.202.77   the static identity  NAT can be used  instead of the present static NAt config

static (inside,wi-fi) 192.168.202.77  192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.20.12  192.168.20.12 netmask 255.255.255.255

Regards

Joy

Cisco Employee

Re: NAT and ASA 5505

These lines are incorrect statements:

static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255

Please remove the above statement, and configure the following:

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

Please perform "clear xlate" after configuring the above.

If you are testing by ping, you might want to check if "inspect icmp" has been turned on.

Hope that helps.

New Member

Re: NAT and ASA 5505

Hi halijenn,

  Destination NAT

static (wi-fi,inside) 192.168.20.12  192.168.20.12 netmask 255.255.255.255 is required to reach  192.168.20.12  ?

Regards

Jithesh

Cisco Employee

Re: NAT and ASA 5505

No. Just this line

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

is good enough.  This is bi-directional.  With this line inside host 192.168.202.77 can initiate connection to anyone in the wi-fi interface and wi-fi can initiate connection to 192.168.202.77 provided the acl applied on the wi-fi interface allows it.

-KS

New Member

Re: NAT and ASA 5505

Hi , there

Firstly, it seems such configuration “static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255” is unnecessary.

Secondly, you need to add an access-list permit the traffic which destination direct to your Nated address 192.168.20.12

For example : ” access-list out permit tcp any host 192.168.20.12”

I hope my suggestion is helpful

   Regards

Fox Mulder

New Member

Re: NAT and ASA 5505

Hi,

Thank you all for answers!!!

353
Views
0
Helpful
6
Replies