Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT working 1 way but not the other?

Hey guys.

I have an ASA with an outside/inside/DMZ scenario. (TMP-WAN is the DMZ)

I've got the global statements working on both the inside and outside interfaces. PAT on the outside works fine. PAT is also on the inside interface as there are a number of other networks that go through the inside interface (another router on the inside lan nwith networks behind it) That also works fine.

I have added static NAT statements for the TMP-WAN interface, i can reach every network out that interface, but not the other way around. I get Deny TCP no connection inbound on TMP-WAN errors. I also get TCP reset-O errors immediately back. Here is the config (attached)

Any insight would be greatly appreciated. I've tried adding another static NAT rule reversing inside and TMP-WAN but to no avail. thinking there was no translation rule coming back in, but it didn't seem to work or i didn't get the syntax correct. Any help would be great..

2 REPLIES
New Member

Re: NAT working 1 way but not the other?

I'm not sure if you need all networks on INSIDE and TMP-WAN to communicate but go ahead and edit this as needed.

no static (TMP-WAN,inside) 10.216.32.0 10.216.32.0 netmask 255.255.255.0

object-group network TMP-WAN

network-object 10.216.24.0 255.255.255.0

network-object 10.216.28.0 255.255.255.0

network-object 10.216.32.0 255.255.255.0

network-object 10.224.0.0 255.248.0.0

network-object 10.216.24.0 255.255.255.0

network-object 10.216.2.0 255.255.255.252

network-object 10.216.28.0 255.255.255.0

network-object 10.216.32.0 255.255.255.0

object-group network INSIDE

network-object 10.216.132.0 255.255.255.0

network-object 10.216.136.0 255.255.255.0

network-object 10.216.140.0 255.255.255.0

network-object 10.216.20.0 255.255.255.0

network-object 10.216.16.0 255.255.255.0

network-object 10.216.14.0 255.255.255.0

network-object 10.216.1.0 255.255.255.0

network-object 10.216.69.0 255.255.255.0

network-object 10.216.10.0 255.255.255.0

access-list INSIDE-TO-TMP-WAN permit ip object-group INSIDE object-group TMP-WAN

nat (inside) 0 access-list INSIDE-TO-TMP-WAN

access-list TMP-WAN_nat0_outbound permit ip object-group TMP-WAN object-group INSIDE

clear xlate

New Member

Re: NAT working 1 way but not the other?

One thing to add you can clean up your config by doing dynamic routing either ospf or eigrp with the inside router and the ASA.

111
Views
0
Helpful
2
Replies
CreatePlease login to create content