05-07-2010 03:33 PM - edited 03-04-2019 08:24 AM
I can't get the AirDMZ network to talk to inside network. What am I missing here?
interface GigabitEthernet0/0
speed 100
nameif Outside
security-level 0
ip address 12.157.178.130 255.255.255.128
ospf cost 10
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.9 255.255.240.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif AirDMZ
security-level 100
ip address 192.168.3.9 255.255.255.0
ospf cost 10
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outbound_AirDMZ extended permit ip any any
access-list inside extended permit icmp any any
access-list inbound_AirDMZ extended deny tcp any any eq 445
access-list inbound_AirDMZ extended permit ip any any
global (Outside) 1 interface
global (AirDMZ) 1 interface
nat (Outside) 0 access-list natout
nat (Outside) 1 access-list outsidenat
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (AirDMZ) 1 192.168.3.0 255.255.255.0
static (inside,AirDMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group outside_acl in interface Outside
access-group inside_acl in interface inside
access-group inbound_AirDMZ in interface AirDMZ
access-group outbound_AirDMZ out interface AirDMZ
05-07-2010 05:21 PM
The following static statement is incorrect:
static (inside,AirDMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
It should be changed to:
static (inside,AirDMZ) 10.1.1.0 10.1.1.0 netmask 255.255.240.0
"clear xlate" after the above changes, and AirDMZ should be able to communicate with the inside network.
Hope that helps.
05-07-2010 05:29 PM
It didn't help.
I do a packet trace, it stops here:-
NAT
match ip AirDMZ 192.168.3.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 1858, untranslate_hits = 0
RESULT - The packet is dropped.
05-07-2010 06:37 PM
Try the following:
1) Remove "nat (AirDMZ) 1 192.168.3.0 255.255.255.0"
2) clear xlate
3) Test the connection from AirDMZ towards inside
4) Readd "nat (AirDMZ) 1 192.168.3.0 255.255.255.0" for AirDMZ network to browse the Internet
What version of ASA are you running? Might be a bug if it's matching the dynamic NAT instead of the static, as static NAT should take precedence over dynamic NAT.
Also please share the latest of following output if it still doesn't work:
sh run nat
sh run global
sh run static
and all ACL that is assigned to the above show outputs. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: