Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.2 ,NAT

Hi All.Need assisstance on this issue.I am working on ASA 8.2. We have a public block for customer 199.199.199.0/24 pointed to ASA .

Now customer wants access from 199.199.199.21 to 199.199.199.15 . He is coming from private ip address 10.1.100.58 trying to access public ip address 199.199.199.15.But its not working. Subnet 199.199.199.0/24 is NATed and on ASA its learned via default i.e OUTSIDE .Customer cannot access the public ip address 199.199.199.15 ,as he is coming from 10.1.100.58 then NATed to 199.199.199.21 .So its like,he is coming on Outside interface and going to Outside interface. This setup is not working.

 

Below is the rough setup:

C    10.1.100.0 255.255.255.0 is directly connected, inside
C    10.1.200.0 255.255.252.0 is directly connected, dmz

 

static (inside,outside) 199.199.199.21 10.1.100.58 netmask 255.255.255.255 
static (dmz,outside) 199.199.199.15 10.1.200.15 netmask 255.255.255.255 

 

nat (inside) 0 access-list nat_exempt
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (VPN-zone) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

 

access-list nat_exempt extended permit ip any host 199.199.199.15 log 

 

 

4 REPLIES
New Member

Hi!In ASDM you can use Packet

Hi!

In ASDM you can use Packet Tracer to check where the packet gets stuck. 

I always use that feature to check any problems when I am not sure what to do. 

/Lajja1234

New Member

Thankyou Lajja

Thankyou Lajja

Hi,If you access from Inside

Hi,

If you access from Inside to DMZ..... He can be able to do that using its private ip address....

say he can access from 10.1.100.58 to 10.1.200.15.....

for this we need to have a no-nat rule between these private ip's

access-list no-nat permit ip host 10.1.100.58 host 10.1.200.15

nat (inside) 0 access-list no-nat

 

Also you need to allow it in the access-list which you put for outbound traffic... i.e. on the inside interface binded acl...

 

Other option is to do DNS doctoring.....

Regards

Karthik

 

 

 

New Member

Thankyou nkarthikeyan 

Thankyou nkarthikeyan

 

49
Views
0
Helpful
4
Replies