07-31-2013 09:55 PM - edited 03-11-2019 07:19 PM
Hi,
We have an ASA connected to an external switch connecting two different networks. I have query if we need to put any kind of nat statement for traffic between internal & external network. The brief network flow is ;
User Network > Cisco 3560 > ASA > Cisco 3750X-Core switch > Vlan 16
User Network: 172.16.20.0/24
Vlan 16: 192.168.100.0/24
On Cisco 3750X-Core, there is a default route for traffic towards 172.16.20.0/24 network. Similarly, on the 3560 there is a route for traffic towards Vlan 16 pointing to the ASA interface.
Following are ASA 5585details;
Inside interface : INSIDE ( facing towards the 3750X Core )
Outside interface: OUTSIDE ( facing towards the 3560 switch )
There is no nat configured on ASA & same security traffic is permitted. Do we actually need any nat statement between inside & outside interfaces for this traffic to flow properly.
Appreciate all inputs.
Solved! Go to Solution.
07-31-2013 10:14 PM
You don't need to NAT if the 192.168.100.0/24 (and upstream networks - that static route needs to be redistributed into any dynamic routing protocols on the 3750X) can properly route to your 172.16.20.0/24 network.
I would ask if INSIDE and OUTSIDE are set to same security level, what are you actually firewalling?
07-31-2013 10:14 PM
You don't need to NAT if the 192.168.100.0/24 (and upstream networks - that static route needs to be redistributed into any dynamic routing protocols on the 3750X) can properly route to your 172.16.20.0/24 network.
I would ask if INSIDE and OUTSIDE are set to same security level, what are you actually firewalling?
07-31-2013 10:30 PM
Thanks.
Apologies, forgot to mention the security levels.
Inside is on security level 100 & Outside on level 0. Do i still need any nat in this case, due to differing security levels when traffic flows across these interfaces.
07-31-2013 10:34 PM
Traffic will flow from higher security to lower security (INSIDE to OUTSIDE) by default. Those do not in and of themselves require NAT.
Return traffic will be allowed due to there being an existing connection.
OUTSIDE-orginated traffic will require an ACL permitting it. Still no NAT necessary though.
07-31-2013 10:42 PM
Thanks.
Strangely, the traffic flow is fine. But we can't seem to ping the user network 172.16.20.0/24 from within the 3750-X core.
The ASA & 3560 is connected by a /30 link which is 172.16.15.0/30.
ASA side has 172.16.15.2 & 3560 interface facing ASA has 172.16.15.1.
We are unable to ping ASA interface 172.16.15.2 from within the 3560.
Outside originated traffic has an ACL permitting them in.
Appreciate help on this.
07-31-2013 10:54 PM
By default an ASA outside interface will not respond to ping (icmp echo request). That requires something like:
ASA(config)#access-list ACL-OUTSIDE extended permit icmp any any
ASA(config)#access-group ACL-OUTSIDE in interface outside
For your pings to the user network, first check if they are being received at the ASA (packet capture tool). If they are, check if they are allowed though (packet tracer tool).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide