Problem Configuring NAT on ASA 5500
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by tman on June 19, 2008, 5:36 pm
Please log in for more thread options with NAT. It is my understanding that traffic will pass from a more secure interface to a less secure interface by default. I wanted hosts on the Inside interface to be able to ping hosts on both the Dmz and the Outside interfaces. The security levels are: Inside 100 Outside 0 Dmz 50 I added ICMP to the Class inspection_default nat by default was: global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 I added nat (dmz) 1 0.0.0.0 0.0.0.0 I can ping hosts on the Outside interface from the Dmz. I cannot ping hosts on the Outside interface. Looks like, with my dim understanding of this, I missed something. I would appreciate any suggestions. Thanks | |||||||||||||
|
Posted by tman on June 21, 2008, 12:53 pm
Please log in for more thread options I figured out what the problem was by using that cool tool in the ASDM, the Packet Tracer. It showed what access-list was stopping the ping. It was the implied deny any at the end of the access-list that I had, incorrectly, on the indside interface to allow dns from the hosts on the dmz. It should have been on the dmz interface. | |||||||||||||
|
Posted by swk on June 23, 2008, 10:04 am
Please log in for more thread options > I am learning how to configure an ASA 5500. =A0I am having a problem
> with NAT. > > It is my understanding that traffic will pass from a more secure > interface to a less secure interface by default. =A0I wanted hosts on > the Inside interface to be able to ping hosts on both the Dmz and the > Outside interfaces. =A0The security levels are: > Inside 100 > Outside 0 > Dmz 50 > > I added ICMP to the Class inspection_default > > nat by default was: > > global (outside) 1 interface > nat (inside) 1 0.0.0.0 0.0.0.0 > > I added nat (dmz) 1 0.0.0.0 0.0.0.0 > > I can ping hosts on the Outside interface from the Dmz. > I cannot ping hosts on the Outside interface. > > Looks like, with my dim understanding of this, I missed something. > > I would appreciate any suggestions. > > Thanks nat (dmz) 1 0.0.0.0 0.0.0.0 needs to change to nat (dmz) 2 0.0.0.0 0.0.0.0 global (outside) 2 interface | |||||||||||||
| Similar Threads | Posted |
| Problem Configuring NAT on ASA 5500 | June 19, 2008, 5:36 pm |
| Cayalyst 5500 Problem | May 27, 2007, 12:14 pm |
| Problem Configuring 2621 | October 1, 2007, 6:55 pm |
| Problem Configuring Access Mode on an Interface on a Catalyst 3500XL | May 9, 2008, 2:35 pm |
| Pix 515 vs. ASA 5500 | February 21, 2007, 9:39 am |
| RSM 5500 | July 28, 2007, 10:52 am |
| 5500 module | August 6, 2007, 1:12 pm |
| 5500 transfer | August 7, 2007, 3:24 pm |
| Cisco 5500 ASA Help | March 11, 2008, 10:32 am |
| Cat 5500 slot reservations | July 7, 2006, 12:06 pm |
| content networking with asa 5500 | February 10, 2007, 9:40 am |
| ASA 5500 and VPN default gateway | January 20, 2007, 1:46 pm |
| ACK! This ASA 5500 is kicking my butt! | May 31, 2007, 8:10 am |
| Advanced VPN Solution Help (ASA 5500) | August 30, 2007, 11:17 am |
| ASA 5500: connection is still on after the ACL is modified | September 17, 2007, 1:10 pm |
> with NAT.
>
> It is my understanding that traffic will pass from a more secure
> interface to a less secure interface by default. =A0I wanted hosts on
> the Inside interface to be able to ping hosts on both the Dmz and the
> Outside interfaces. =A0The security levels are:
> Inside 100
> Outside 0
> Dmz 50
>
> I added ICMP to the Class inspection_default
>
> nat by default was:
>
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0
>
> I added nat (dmz) 1 0.0.0.0 0.0.0.0
>
> I can ping hosts on the Outside interface from the Dmz.
> I cannot ping hosts on the Outside interface.
>
> Looks like, with my dim understanding of this, I missed something.
>
> I would appreciate any suggestions.
>
> Thanks