Solved: nat between inside & outside

suthomas1 · ‎07-31-2013

Hi,

We have an ASA connected to an external switch connecting two different networks. I have query if we need to put any kind of nat statement for traffic between internal & external network. The brief network flow is ;

User Network > Cisco 3560 > ASA > Cisco 3750X-Core switch > Vlan 16

User Network: 172.16.20.0/24

Vlan 16: 192.168.100.0/24

On Cisco 3750X-Core, there is a default route for traffic towards 172.16.20.0/24 network. Similarly, on the 3560 there is a route for traffic towards Vlan 16 pointing to the ASA interface.

Following are ASA 5585details;

Inside interface : INSIDE ( facing towards the 3750X Core )

Outside interface: OUTSIDE ( facing towards the 3560 switch )

There is no nat configured on ASA & same security traffic is permitted. Do we actually need any nat statement between inside & outside interfaces for this traffic to flow properly.

Appreciate all inputs.

Marvin Rhoads · ‎07-31-2013

You don't need to NAT if the 192.168.100.0/24 (and upstream networks - that static route needs to be redistributed into any dynamic routing protocols on the 3750X) can properly route to your 172.16.20.0/24 network.

I would ask if INSIDE and OUTSIDE are set to same security level, what are you actually firewalling?

View solution in original post

Marvin Rhoads · ‎07-31-2013

You don't need to NAT if the 192.168.100.0/24 (and upstream networks - that static route needs to be redistributed into any dynamic routing protocols on the 3750X) can properly route to your 172.16.20.0/24 network.

I would ask if INSIDE and OUTSIDE are set to same security level, what are you actually firewalling?

suthomas1 · ‎07-31-2013

Thanks.

Apologies, forgot to mention the security levels.

Inside is on security level 100 & Outside on level 0. Do i still need any nat in this case, due to differing security levels when traffic flows across these interfaces.

Marvin Rhoads · ‎07-31-2013

Traffic will flow from higher security to lower security (INSIDE to OUTSIDE) by default. Those do not in and of themselves require NAT.

Return traffic will be allowed due to there being an existing connection.

OUTSIDE-orginated traffic will require an ACL permitting it. Still no NAT necessary though.

suthomas1 · ‎07-31-2013

Thanks.

Strangely, the traffic flow is fine. But we can't seem to ping the user network 172.16.20.0/24 from within the 3750-X core.

The ASA & 3560 is connected by a /30 link which is 172.16.15.0/30.

ASA side has 172.16.15.2 & 3560 interface facing ASA has 172.16.15.1.

We are unable to ping ASA interface 172.16.15.2 from within the 3560.

Outside originated traffic has an ACL permitting them in.

Appreciate help on this.

Marvin Rhoads · ‎07-31-2013

By default an ASA outside interface will not respond to ping (icmp echo request). That requires something like:

ASA(config)#access-list ACL-OUTSIDE extended permit icmp any any

ASA(config)#access-group ACL-OUTSIDE in interface outside

For your pings to the user network, first check if they are being received at the ASA (packet capture tool). If they are, check if they are allowed though (packet tracer tool).