Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
2
Replies

ASA 5505 and some strange configuration

pierguido75
Level 1
Level 1

‎01-28-2010 09:52 AM

Hi.

I'm trying to set up a ASA 5505 with some kind of strange nat.

This is the situation right now:


net inside------------------------------------[ASA 5505]------------------------------------------[ISP router]

(192.1.2.0/24)                      192.1.2.253            |        75.XXX.XXX.61            75.XXX.XXX.57

                                                                            |

                                                                            |

                                                                            |
                                                                 [cisco device]-------------------------net vpn

                                                                                                                  (192.168.200.0/24)


Between the cisco device and my asa there's a vpn and it's working great.

What i wanted to do was to nat everything coming from the net vpn (192.168.200.0/24) to the inside interface on the ASA.

I did it and it works.

But what i cannot make it to work, is that from my net (192.1.2.0/24) i cannot ping any host on the nt vpn  (192.168.200.0/24).


On the config i did so:

access-list nonat extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_crypto_map_20 extended permit ip 192.1.2.0 255.255.255.0 192.168.200.0 255.255.255.0

global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 192.168.200.0 255.255.255.0 outside

Thanks for the help.

Pier

Labels:
0 Helpful
2 Replies 2

pudawat
Level 1
Level 1

‎01-28-2010 05:04 PM

It seems that you are using OUTSIDE NAT to PA all the traffic coming from client network 192.168.200.x to inside interface IP.

Whenever any host from 192.168.200.x network initiates connx to inside network an XLATE entry is created in the firewall and client can access anything on the inside network since firewall is a stateful device.

But if someone tries to initiate connx from inside network to client n/w 192.168.200.x .It cannot find the ip based on port based translations so it will work only one way!

Regards,

Pradhuman

0 Helpful

pierguido75
Level 1
Level 1
In response to pudawat

‎01-28-2010 11:24 PM

Thank you...that was what i was thinking too.

But if something is coming from the inside net, shoudn't it match the nat 0 access-list?

And then don't apply nat on those packets?


Pier

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents