Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAt inside to inside interface

Hi All,

A bit of problem with NATting  - ASA 5500 ASDM 6.2.

I have 3 interfaces: ouside, inside, inside1. Outside routes to inside interface, where both interfaces are on public IPs, so no nat control.

The new inside1 interface I want to be on oriv network 10.100.10.0/24. Now I want to NAT public IP from inside interaface to priv IP on inside2.

Basically NATTing must occur between inside and inside2 - on priv IP there is web server.

Can I do somehow without nat enabling command? I just need NAT for few IPs.

TIA for any help.

Marcin

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAt inside to inside interface

if you want the device to be available from the outside - you need to:-

1) Allow access via an access-list - as the outside is security 0 and Inside1 is security 100

2) You need to have a NAT in place - you could peform PAT on the outside - of try and use the same NAT IP as the inside so something like

static (Inside1,outside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255

20 REPLIES

Re: NAt inside to inside interface

afaik and can remember the nat control is only required when you are going from a higher security interface to a lower security interface. Without nat control - you still should be able to configure a translation between two interfaces with the same security level?

Sent from Cisco Technical Support iPad App

Re: NAt inside to inside interface

Just double checked an old config - and you can still configure NAT in the normal way even with nat-control turned off.

New Member

NAt inside to inside interface

Hi, thanks for reply.

I can confirm both inside interafces are on 100 security level. I want simple 1 to 1 IP translation.

So should I go like that:config #static (inside,inside1) ip_of_inside1 ip_of_inside netmask 255.2552.255.255???

Does it make any difference, if inside interface is on vlan, and inside1 interface is on native?

Re: NAt inside to inside interface

yes that should work, and the vlan to native should be ok

Sent from Cisco Technical Support iPad App

New Member

Re: NAt inside to inside interface

Hi,

I did that. I cannot browse to web on server on inside1 or I cannot browse internet being on that server.

Any ideas?

TIA

Re: NAt inside to inside interface

what are you actually trying to do, do you want the server on inside 1 to have an ip address in the same range of the inside?

Sent from Cisco Technical Support iPad App

New Member

NAt inside to inside interface

Hi,

Outside int is on public /30 network and routes to inside also public network /27 network.

Now, inside1 interface is on 10.100.10.0/24 priv network range. (as I mentioned before inside and inside1 are both on security 100)

So I want NAT only few IPs from inside (/27) to priv range on inside1.

Should this be doable?

NAt inside to inside interface

So you have configured your nat - but it is not working.  Did you configure the setting to allow traffic from 2 interfaces with the same security level??

same-security-traffic permit inter-interface

?

New Member

NAt inside to inside interface

Yes,

I have:

same-security-traffic permit inter-interface...and

same-security-traffic permit intra-interface

NAt inside to inside interface

Post your NAT & Interface Config

New Member

Re: NAt inside to inside interface

Here we go:

interface Ethernet0/0.21

description inside

nameif Inside

security-level 100

ip address 83.89.38.193 255.255.255.192

!

interface Ethernet0/0.23

description outside

nameif Outside

security-level 0

ip address 83.89.92.46 255.255.255.252

!

interface Ethernet0/1

description For NATting

nameif inside1

security-level 100

ip address 10.100.10.1 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Inside1_access_in extended permit object-group DM_INLINE_PROTOCOL_1 83.89.38.193 255.255.255.192 host 10.100.10.2

access-list Inside1_access_in extended permit ip any host 10.100.10.2

static (Inside,Inside1) 10.100.10.2 83.89.92.250

netmask 255.255.255.255 dns

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255 dns

route Outside 0.0.0.0 0.0.0.0 83.89.92.45 1

service-policy global_policy global

Re: NAt inside to inside interface

Remove

static (Inside,Inside1) 10.100.10.2 83.89.92.250 netmask 255.255.255.255 dns

The correct NAT is

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255

New Member

Re: NAt inside to inside interface

Hi,

Thanks for that but no luck. I even tried to ping from server on inside net to server with IP 10.100.10.2 - no luck, and from inside net server I cannot even ping interface IP of 10.100.10.1

Of course I can ping from 10.100.10.2 to 10.100.10.1, this seems to be fine.

After applying this:

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255 - on ASDM it appears as inside1 is original source and inside as translated. I am assuming that's correct.

But, still doesn't work.

New Member

Re: NAt inside to inside interface

There is some joy!

I can ping from servers on inside to inside1 pinging

83.89.92.250

NAT is working because I delete rule I could not ping , created NAT rule again and was working

But still cannot browse to 83.89.92.250 aka 10.100.10.2 from outside. ON outside int access rules allow any trafic on port 80 to any on inside int. Do you think I should allow to inside1 as well, or with NATting this should not be necesary?

Re: NAt inside to inside interface

if you want the device to be available from the outside - you need to:-

1) Allow access via an access-list - as the outside is security 0 and Inside1 is security 100

2) You need to have a NAT in place - you could peform PAT on the outside - of try and use the same NAT IP as the inside so something like

static (Inside1,outside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255

New Member

Re: NAt inside to inside interface

Does it mean I have to do enable NAT for everything? OR still I can do NAT and PAT just for chosen IPs?

Re: NAt inside to inside interface

you can still just do nat and pat.

New Member

Re: NAt inside to inside interface

Andrew, thanks for everything.

Would you be so kind and help me with this NAT and PAT config for outside interafce?

Only for just one mapping, the rest I would just replicate.

BIG TIA.

New Member

Re: NAt inside to inside interface

IT'S WORKING!!!

Big thanks Andrew for all your help and support!

That was the last missing config -

static (Inside1,outside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255 and it worked nicely.

All the best in 2012.

Marcin.

Re: NAt inside to inside interface

No - glad to help.

And to you.

3417
Views
10
Helpful
20
Replies