1. Home
  2. Cisco Systems
  3. Problem Configuring NAT on ASA 5500

Problem Configuring NAT on ASA 5500

I am learning how to configure an ASA 5500. I am having a problem with NAT.

It is my understanding that traffic will pass from a more secure interface to a less secure interface by default. I wanted hosts on the Inside interface to be able to ping hosts on both the Dmz and the Outside interfaces. The security levels are: Inside 100 Outside 0 Dmz 50

I added ICMP to the Class inspection_default

nat by default was:

global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0

I added nat (dmz) 1 0.0.0.0 0.0.0.0

I can ping hosts on the Outside interface from the Dmz. I cannot ping hosts on the Outside interface.

Looks like, with my dim understanding of this, I missed something.

I would appreciate any suggestions.

Thanks

Reply to
tman
Loading thread data ...

I figured out what the problem was by using that cool tool in the ASDM, the Packet Tracer. It showed what access-list was stopping the ping. It was the implied deny any at the end of the access-list that I had, incorrectly, on the indside interface to allow dns from the hosts on the dmz. It should have been on the dmz interface.

Reply to
tman

nat (dmz) 1 0.0.0.0 0.0.0.0

needs to change to

nat (dmz) 2 0.0.0.0 0.0.0.0 global (outside) 2 interface

Reply to
swk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.