03-02-2009 10:52 AM - edited 03-11-2019 07:59 AM
I have an ASA 5510. Its firmware version is 8.0(3). I have very simple setup on it but my laptop (on inside interface) can't ping outside devices...
Here are the commands I typed in. The rest in the show run are all default...
interface Ethernet0/0
nameif outside
security-level 100
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
!
access-list ACL-outside extended permit icmp any any
access-list ACL-inside extended permit icmp any any
access-list ACL-inside extended permit ip any any
!
global (outside) 1 interface
nat (inside) 1 10.2.1.0 255.255.255.0 outside
static (inside,outside) 2.2.2.2 10.2.1.2 netmask 255.255.255.255
access-group ACL-outside in interface outside
access-group ACL-inside in interface inside
route outside 0.0.0.0 0.0.0.0 2.2.2.254 1
!
I have an outside host 1.1.1.1. I can ping it from the ASA. However my inside laptop 10.2.1.2 can't ping it...
In the "show nat" output translate_hits = 0.
In the "show logging" I do see bunch of "%ASA-3-106014: Deny inbound icmp src inside:10.2.1.2 dst outside:1.1.1.1 (type 8, code 0)" errors.
That's why I made an access-list ACL-inside to permit anything but still no go. The hitcount of the ACL is 0...
I am very frustrated... Please help! Should be easy for you guys! Thanks a lot!
Difan
Solved! Go to Solution.
03-02-2009 11:38 AM
The security level on your outside interface should be 0, not 100.
HTH,
Paul
03-02-2009 11:45 AM
Hi,
The problem is with your security levels
By default ASA won't route traffic between two interfaces of the same security level.
Either change outside interface to be 0 (should be anyway) or enter following command
same-security-traffic permit inter-interface
Also not sure you need the "outside" parameter on your nat (inside) statement???
Regards
James
03-02-2009 11:38 AM
The security level on your outside interface should be 0, not 100.
HTH,
Paul
03-02-2009 11:45 AM
Hi,
The problem is with your security levels
By default ASA won't route traffic between two interfaces of the same security level.
Either change outside interface to be 0 (should be anyway) or enter following command
same-security-traffic permit inter-interface
Also not sure you need the "outside" parameter on your nat (inside) statement???
Regards
James
03-02-2009 01:06 PM
Hi James,
I have no idea. I was struggling to make it work so I tried different commands and parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement? Seems it didn't affect anything...
Thanks,
Difan
03-02-2009 03:45 PM
I have no idea... I was struggling to make it work so I tried different parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement?
Thanks!
Difan
03-02-2009 04:39 PM
Difan
The "outside" is used when you are using dynamic NAT on a lower to higher security interface eg.
nat (outside) 1 192.168.5.0 255.255.255.0 outside
global (inside) 1 interface
OR
nat (dmz) 1 192.168.5.0 255.255.255.0 outside
global (inside) 1 interface
In both the above examples the NAT is occuring from a lower security interface to a higher security interface.
The most common use of this sort of dynamic NAT is
nat (inside) 1 192.168.5.0 255.255.255.0
global (outside) 1 interface
Here the NAT is occuring from a higher to a lower security interface so you do not need the "outside" at the end of your NAT statement.
Jon
03-02-2009 01:02 PM
Thank you guys! It worked!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide