Problem Configuring NAT on ASA 5500

I am learning how to configure an ASA 5500. I am having a problem with NAT.

It is my understanding that traffic will pass from a more secure interface to a less secure interface by default. I wanted hosts on the Inside interface to be able to ping hosts on both the Dmz and the Outside interfaces. The security levels are: Inside 100 Outside 0 Dmz 50

I added ICMP to the Class inspection_default

nat by default was:

global (outside) 1 interface nat (inside) 1

I added nat (dmz) 1

I can ping hosts on the Outside interface from the Dmz. I cannot ping hosts on the Outside interface.

Looks like, with my dim understanding of this, I missed something.

I would appreciate any suggestions.


Reply to
Loading thread data ...

I figured out what the problem was by using that cool tool in the ASDM, the Packet Tracer. It showed what access-list was stopping the ping. It was the implied deny any at the end of the access-list that I had, incorrectly, on the indside interface to allow dns from the hosts on the dmz. It should have been on the dmz interface.

Reply to

nat (dmz) 1

needs to change to

nat (dmz) 2 global (outside) 2 interface

Reply to
swk Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.