Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New to ASA. Can't make NAT/PAT to work..

I have an ASA 5510. Its firmware version is 8.0(3). I have very simple setup on it but my laptop (on inside interface) can't ping outside devices...

Here are the commands I typed in. The rest in the show run are all default...

interface Ethernet0/0

nameif outside

security-level 100

ip address 2.2.2.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.2.1.1 255.255.255.0

!

access-list ACL-outside extended permit icmp any any

access-list ACL-inside extended permit icmp any any

access-list ACL-inside extended permit ip any any

!

global (outside) 1 interface

nat (inside) 1 10.2.1.0 255.255.255.0 outside

static (inside,outside) 2.2.2.2 10.2.1.2 netmask 255.255.255.255

access-group ACL-outside in interface outside

access-group ACL-inside in interface inside

route outside 0.0.0.0 0.0.0.0 2.2.2.254 1

!

I have an outside host 1.1.1.1. I can ping it from the ASA. However my inside laptop 10.2.1.2 can't ping it...

In the "show nat" output translate_hits = 0.

In the "show logging" I do see bunch of "%ASA-3-106014: Deny inbound icmp src inside:10.2.1.2 dst outside:1.1.1.1 (type 8, code 0)" errors.

That's why I made an access-list ACL-inside to permit anything but still no go. The hitcount of the ACL is 0...

I am very frustrated... Please help! Should be easy for you guys! Thanks a lot!

Difan

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: New to ASA. Can't make NAT/PAT to work..

The security level on your outside interface should be 0, not 100.

HTH,

Paul

Bronze

Re: New to ASA. Can't make NAT/PAT to work..

Hi,

The problem is with your security levels

By default ASA won't route traffic between two interfaces of the same security level.

Either change outside interface to be 0 (should be anyway) or enter following command

same-security-traffic permit inter-interface

Also not sure you need the "outside" parameter on your nat (inside) statement???

Regards

James

6 REPLIES
New Member

Re: New to ASA. Can't make NAT/PAT to work..

The security level on your outside interface should be 0, not 100.

HTH,

Paul

Bronze

Re: New to ASA. Can't make NAT/PAT to work..

Hi,

The problem is with your security levels

By default ASA won't route traffic between two interfaces of the same security level.

Either change outside interface to be 0 (should be anyway) or enter following command

same-security-traffic permit inter-interface

Also not sure you need the "outside" parameter on your nat (inside) statement???

Regards

James

New Member

Re: New to ASA. Can't make NAT/PAT to work..

Hi James,

I have no idea. I was struggling to make it work so I tried different commands and parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement? Seems it didn't affect anything...

Thanks,

Difan

New Member

Re: New to ASA. Can't make NAT/PAT to work..

I have no idea... I was struggling to make it work so I tried different parameters... Do you mind telling me what the "outside" is for in the nat (inside) statement?

Thanks!

Difan

Hall of Fame Super Blue

Re: New to ASA. Can't make NAT/PAT to work..

Difan

The "outside" is used when you are using dynamic NAT on a lower to higher security interface eg.

nat (outside) 1 192.168.5.0 255.255.255.0 outside

global (inside) 1 interface

OR

nat (dmz) 1 192.168.5.0 255.255.255.0 outside

global (inside) 1 interface

In both the above examples the NAT is occuring from a lower security interface to a higher security interface.

The most common use of this sort of dynamic NAT is

nat (inside) 1 192.168.5.0 255.255.255.0

global (outside) 1 interface

Here the NAT is occuring from a higher to a lower security interface so you do not need the "outside" at the end of your NAT statement.

Jon

New Member

Re: New to ASA. Can't make NAT/PAT to work..

Thank you guys! It worked!

155
Views
0
Helpful
6
Replies
CreatePlease to create content