Solved: Reg. NAT not working

ankurs2008 · ‎08-06-2010

Hi halijenn / NT / Magnus

I have 2 server one on outside and another on inside of the firewall . The issue is that the server on inside (10.251.12.1) is able to communicate the server on outside (10.253.9.14) however the vice-versa is not happening .The communication between the 2 devices is tested via ICMP .ICMP from 10.251.12.1 is happening to 10.253.9.14 however when i try to ping from 10.253.9.14 it doesnot happens .

Following is the current config relevant to this issue

1) global (outside) 1 interface

2) Inspect ICMP is enabled for the global_policy and is applied for the service policy

Please let me know if the below config is correct and if it should work .

access-list OUT_IN extended permit icmp host 10.253.9.14 host 10.251.12.1 [ access-group is also applied ]

nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip host 10.251.12.1 host 10.253.9.14

I also know that we can apply Static Identity NAT in place of above as follows

static (inside,outside) 10.251.12.1 10.251.12.1

Please help me in getting the config correct .

nat (inside) 1 0.0.0.0 0.0.0.0

Nagaraja Thanthry · ‎08-06-2010

Hello Ankur,

Since you are trying to open the communication from lower security to higher

security, you need an identity NAT translation for the inside server.

static (inside,outside) 10.251.12.1 10.251.12.1 netmask 255.255.255.255

Please make sure that the static does not break any other communication.

Hope this helps.

Regards,

NT

View solution in original post

Kureli Sankar · ‎08-08-2010

Correct. You do not need the static in this case as nat 0 with acl is birectional.

When the pings do not work one way - what do you see in the syslogs? Is it possible that the windows firewall is enabled on the inside host that does not respond to pings when ping-ed from the other?

-KS

View solution in original post

Nagaraja Thanthry · ‎08-06-2010

Hello Ankur,

Since you are trying to open the communication from lower security to higher

security, you need an identity NAT translation for the inside server.

static (inside,outside) 10.251.12.1 10.251.12.1 netmask 255.255.255.255

Please make sure that the static does not break any other communication.

Hope this helps.

Regards,

NT

ankurs2008 · ‎08-08-2010

Hi NT

Thanks for looking into the same ! However i have query .Wont the access work with the below config as well as nat 0 is bidirectional ?

nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip host 10.251.12.1 host 10.253.9.14

Kureli Sankar · ‎08-08-2010

Correct. You do not need the static in this case as nat 0 with acl is birectional.

When the pings do not work one way - what do you see in the syslogs? Is it possible that the windows firewall is enabled on the inside host that does not respond to pings when ping-ed from the other?

-KS

ankurs2008 · ‎08-08-2010

Hi kusankar ,

thanks a ton ! I am yet to get the syslogs ; however i will look for the probability of the windows firewall at the other end .As soon as i get syslogs or next

update , i will post here .