Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

static nat access issues

In attached configuration on asa5510 traffic will not pass through firewall from computers assigned to static nat. tested from ip 192.168.100.99 with dns,www and cannot ping hosts on dmz.

8 REPLIES
Community Member

Re: static nat access issues

Sorry config attached

Re: static nat access issues

Hi Dennis,

Please add the following

access-list LAN_access_in line 2 permit ip 192.168.100.0 255.255.255.0 10.100.100.0 255.255.255.0

policy-map global_policy

class inspection_default

inspect icmp

I also strongly recommend to upgrade your IOS to at least 7.2(2)

Regards

Community Member

Re: static nat access issues

This did not help

Have upgraded to 7.2 and can now ping to dmz but all access to wan is blocked on any host where a static nat rule applies ex. host 192.168.100.99 cannot access external webpages but host 192.168.100.33 can. Have also tested from WAN side all static rules seem to be working properly I can access https webserver from WAN address.

Have attached a new copy of running config please HELP!!!!

Re: static nat access issues

You static NAT rules contain 192.168.100.199 192.168.100.133 (One Hundreed and Thirty Three)

Yet, you are trying to test using 192.168.100.99 and 192.168.100.33, these will be subject to the PAT (global command) and not the NAT.

Even then that should work fine.

Regards

Farrukh

Community Member

Re: static nat access issues

I checked the config I posted and you are correct seems that I must have deleted the static nat rule I was testing with I will have to verify the running config on the firewall then retest. Thank You for the response. I also have a question everything on this config works execpt traffic from hosts with a static route to the WAN interface. On the hosts the firewall is not configured as the primary gateway. The primary gateway is 192.168.100.1 which then routes all traffic not specified by a route statement to the firewall @ 192.168.100.232 could this be the problem If so can I fix this without changing the hosts gateway as they do not communicate well with our internal network that way.

Re: static nat access issues

You could enable proxy arp on the primary gateway's interface on which these hosts are connected. But proxy arp is not part of good network design.

Regards

Farrukh

Community Member

Re: static nat access issues

I will keep that in mind but should this work setup the way it is now??

Should I maybe put all hosts that need static nat on the dmz interface where the firewall is the gateway?

Re: static nat access issues

As a general rule, hosts that required Outside >> Internal access are placed in DMZ, other hosts that just need Inside >> Internet access, need not be placed in the DMZ.

All other hosts not covered by NAT should go out fine using the dynamic NAT nat (inside) statement, as long as they can reach their default gateway properly (or the routing is OK).

Regards

Farrukh

180
Views
0
Helpful
8
Replies
CreatePlease to create content