Solved

ASA 5505 Nat Exemption

Posted on 2008-10-31
3
1,227 Views
Last Modified: 2012-08-14
I have configured a Cisco ASA 5505 to sit between our network and a vendor network. We do not want NAT running between the two. The vendor controls the router attached to VLAN12 on the ASA.

I do not get ping replies from the vendors router. I suspect they don't have a route configured pointing to the ASA for my internal subnet but they insist the problem is on my end.

If the problem is on my end then the only thing I can think of is it's with the NAT exemption settings.
Below is the snippet of my NAT config.

The IP Address of their router is 192.168.6.2

As a test, I reconfigured the ASA to NAT internal traffic to the kcata interface and could ping the router then, just not with NAT exemption

Does it look correct for bi-directional comminication with NAT exemption?

Thanks,

Denny
 

 


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.40.117.132 255.255.255.128 
!
interface Vlan12
 description Port Connecting to KCATA
 nameif kcata
 security-level 10
 ip address 192.168.6.1 255.255.255.0 
!
access-list inside_access_in extended permit icmp 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 
access-list kcata_access_in extended permit icmp 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 
access-list inside_nat0_outbound extended permit ip 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 
access-list kcata_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 
nat (inside) 0 access-list inside_nat0_outbound
nat (kcata) 0 access-list kcata_nat0_outbound outside
 
access-group inside_access_in in interface inside
access-group kcata_access_in in interface kcata

Open in new window

0
Comment
Question by:jokes54321
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22858703
A better way to do this would be a static like this:

static (inside,kcata) 10.40.117.0 10.40.117.0 netmask 255.255.255.0

This says that 10.40.117 inside is same 10.40.117.0 on kcata interface, effectively natting it to itself

But, you also have to allow their network in through an access-list
access-list kcata permit ip 192.168.6.0 255.255.255.0 10.40.117.0 255.255.255.0
access-group kcata in interface kcata
0
 

Author Comment

by:jokes54321
ID: 22858826
Thank you for the reply. This sounds reasonable and I will certainly give it a shot. Should my above configuration work though?

Thank you,

Denny
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22859501
i don't know, you didn't show the whole config.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Firewall Appliance 3 74
Secure Connection Failed - Sonicwall FW 1 97
Setting up a VPN 60 183
Swapping port on a  Cisco 5510 firewall 1 25
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question