Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Needing help with setting up NAT and ACLs

hello all,

So here's what I have set up so far:

ASA with a connetion to my router into port 0 and an ip address asigned from the router.

The ASA has a subinterface assigned to port 1 with a VLAN of 100 assigned to it.

The ASA has a security context with port 0 assigned as the outside interface and with port 1.100 assigned as the inside interface.

The security context described above is set up to dish out dhcp addresses from a private address space (192.168).

A Catalyst 3500 XL switch with port 24 set up for dot1q trunking and port 1 set up with access to VLAN 100.

Now, here's what I can do so far:

I can plug a machine into port 1 of the switch and get a dhcp address from the security context configured in the ASA, so I know my VLAN trunking is working.

I can ping the inside address of the security context from my machine.

From the ASA I can ping the outside address of the security context as well as the router the ASA is connected to.

And... here's what I can't do:

I can't ping the router the ASA is connected to (which has a routable address) from my machine (which has a private address assigned to it by the security context).

I cannot get to any web sites from my machine.

I'm assuming this all has to do with me not having any NAT rules or ACLs set up in my security context. I attempted to set them up but to no avail. Can anyone give me some suggestions as to how to get this working?


New Member

Re: Needing help with setting up NAT and ACLs

Typically a PIX or ASA will allow you access to all outside IP addresses with out having to NAT them (outbound traffic) as long as you have either internal routable IP address or you have the following command in place which NAT's all outgoing packets to the external interface IP address

global 0 (outside)

PAT is now configured

you could also present you entire internal (gloablly routeable) network addresses) by configuring the following command

static (inside,outside)

the above command will allow outside addresses to reach internal addresses.


Re: Needing help with setting up NAT and ACLs

If you're on a private network, trying to ping a public network, you most likely need a couple of things:

1) make sure nat is correct

Something like:

nat (inside) 1

global (outside) 1 interface

do a clear xlate and then try to ping again.

2) Remember that ICMP is not stateful (unless you have 'inspect icmp' in a policy-map). So an echo-request will go from high to low (inside to outside) without an acl entry, but the reply coming back will get blocked unless there in an acl permitting it on the outside interface.


access-list outside-test permit icmp any any eq echo-repy

access-group outside-test in interface outside


Please rate this message if it helped resolve some or all of your issue.

New Member

Re: Needing help with setting up NAT and ACLs


Thank you for your help, as your recommendations made it possible for me to ping my outside router on the other side of my ASA. However, now I have another question:

As I said, I can now ping the router on the outside of my ASA from a machine on the inside. However, I still cannot reach any websites on the internet. The router only allows a few IP addresses to access web content, but the IP assigned to the outside interface of my ASA is one of those addresses. If all of my private addresses are getting transformed to the outside interface IP address, shouldn't I be able to reach the internet?

Thanks again!


Re: Needing help with setting up NAT and ACLs


Check routing - make sure you have a default route pointing to the router.

Check access-lists - make sure if you do have an access list on your inside interface, that it is allowing the traffic to go through.

Check to make sure that your firewalls interface IP address is allowed and that network is publicly routable and reachable from the internet.


Please rate this message if it helped solve some or all of your issue!