Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Reg. NAT not working

Hi halijenn / NT / Magnus

I have 2 server one on outside and another on inside of the firewall . The issue is that the server on inside (10.251.12.1) is able to communicate the server on outside (10.253.9.14) however the vice-versa is not happening .The communication between the 2 devices is tested via ICMP .ICMP from 10.251.12.1 is happening to 10.253.9.14 however when i try to ping from 10.253.9.14 it doesnot happens .

Following is the current config relevant to this issue

1) global (outside) 1 interface

2) Inspect ICMP is enabled for the global_policy and is applied for the service policy

Please let me know if the below config is correct and if it should work .

access-list OUT_IN extended permit icmp host 10.253.9.14 host 10.251.12.1 [ access-group is also applied ]

nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip host 10.251.12.1 host 10.253.9.14

I also know that we can apply Static Identity NAT in place of above as follows

static (inside,outside) 10.251.12.1 10.251.12.1

Please help me in getting the config correct .

   nat (inside) 1 0.0.0.0 0.0.0.0

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Reg. NAT not working

Hello Ankur,

Since you are trying to open the communication from lower security to higher

security, you need an identity NAT translation for the inside server.

static (inside,outside) 10.251.12.1 10.251.12.1 netmask 255.255.255.255

Please make sure that the static does not break any other communication.

Hope this helps.

Regards,

NT

Cisco Employee

Re: Reg. NAT not working

Correct. You do not need the static in this case as nat 0 with acl is birectional.

When the pings do not work one way - what do you see in the syslogs? Is it possible that the windows firewall is enabled on the inside host that does not respond to pings when ping-ed from the other?

-KS

4 REPLIES
Cisco Employee

Re: Reg. NAT not working

Hello Ankur,

Since you are trying to open the communication from lower security to higher

security, you need an identity NAT translation for the inside server.

static (inside,outside) 10.251.12.1 10.251.12.1 netmask 255.255.255.255

Please make sure that the static does not break any other communication.

Hope this helps.

Regards,

NT

Community Member

Re: Reg. NAT not working

Hi NT

Thanks for looking into the same ! However i have  query .Wont the access work with the below config as well as nat 0 is bidirectional ?

nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip host 10.251.12.1 host 10.253.9.14

Cisco Employee

Re: Reg. NAT not working

Correct. You do not need the static in this case as nat 0 with acl is birectional.

When the pings do not work one way - what do you see in the syslogs? Is it possible that the windows firewall is enabled on the inside host that does not respond to pings when ping-ed from the other?

-KS

Community Member

Re: Reg. NAT not working

Hi kusankar ,

thanks a ton ! I am yet to get the syslogs ; however i will look for the probability of the windows firewall at the other end .As soon as i get syslogs or next

update , i will post here .

191
Views
0
Helpful
4
Replies
CreatePlease to create content