08-06-2010 03:15 AM - edited 03-11-2019 11:21 AM
Hi halijenn / NT / Magnus
I have 2 server one on outside and another on inside of the firewall . The issue is that the server on inside (10.251.12.1) is able to communicate the server on outside (10.253.9.14) however the vice-versa is not happening .The communication between the 2 devices is tested via ICMP .ICMP from 10.251.12.1 is happening to 10.253.9.14 however when i try to ping from 10.253.9.14 it doesnot happens .
Following is the current config relevant to this issue
1) global (outside) 1 interface
2) Inspect ICMP is enabled for the global_policy and is applied for the service policy
Please let me know if the below config is correct and if it should work .
access-list OUT_IN extended permit icmp host 10.253.9.14 host 10.251.12.1 [ access-group is also applied ]
nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip host 10.251.12.1 host 10.253.9.14
I also know that we can apply Static Identity NAT in place of above as follows
static (inside,outside) 10.251.12.1 10.251.12.1
Please help me in getting the config correct .
nat (inside) 1 0.0.0.0 0.0.0.0
Solved! Go to Solution.
08-06-2010 07:03 AM
Hello Ankur,
Since you are trying to open the communication from lower security to higher
security, you need an identity NAT translation for the inside server.
static (inside,outside) 10.251.12.1 10.251.12.1 netmask 255.255.255.255
Please make sure that the static does not break any other communication.
Hope this helps.
Regards,
NT
08-08-2010 04:52 AM
Correct. You do not need the static in this case as nat 0 with acl is birectional.
When the pings do not work one way - what do you see in the syslogs? Is it possible that the windows firewall is enabled on the inside host that does not respond to pings when ping-ed from the other?
-KS
08-06-2010 07:03 AM
Hello Ankur,
Since you are trying to open the communication from lower security to higher
security, you need an identity NAT translation for the inside server.
static (inside,outside) 10.251.12.1 10.251.12.1 netmask 255.255.255.255
Please make sure that the static does not break any other communication.
Hope this helps.
Regards,
NT
08-08-2010 04:45 AM
Hi NT
Thanks for looking into the same ! However i have query .Wont the access work with the below config as well as nat 0 is bidirectional ?
nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip host 10.251.12.1 host 10.253.9.14
08-08-2010 04:52 AM
Correct. You do not need the static in this case as nat 0 with acl is birectional.
When the pings do not work one way - what do you see in the syslogs? Is it possible that the windows firewall is enabled on the inside host that does not respond to pings when ping-ed from the other?
-KS
08-08-2010 05:04 AM
Hi kusankar ,
thanks a ton ! I am yet to get the syslogs ; however i will look for the probability of the windows firewall at the other end .As soon as i get syslogs or next
update , i will post here .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide