?
Solved

ASA 5505 Nat Exemption

Posted on 2008-10-31
3
Medium Priority
?
1,242 Views
Last Modified: 2012-08-14
I have configured a Cisco ASA 5505 to sit between our network and a vendor network. We do not want NAT running between the two. The vendor controls the router attached to VLAN12 on the ASA.

I do not get ping replies from the vendors router. I suspect they don't have a route configured pointing to the ASA for my internal subnet but they insist the problem is on my end.

If the problem is on my end then the only thing I can think of is it's with the NAT exemption settings.
Below is the snippet of my NAT config.

The IP Address of their router is 192.168.6.2

As a test, I reconfigured the ASA to NAT internal traffic to the kcata interface and could ping the router then, just not with NAT exemption

Does it look correct for bi-directional comminication with NAT exemption?

Thanks,

Denny
 

 


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.40.117.132 255.255.255.128 
!
interface Vlan12
 description Port Connecting to KCATA
 nameif kcata
 security-level 10
 ip address 192.168.6.1 255.255.255.0 
!
access-list inside_access_in extended permit icmp 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 
access-list kcata_access_in extended permit icmp 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 
access-list inside_nat0_outbound extended permit ip 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 
access-list kcata_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 
nat (inside) 0 access-list inside_nat0_outbound
nat (kcata) 0 access-list kcata_nat0_outbound outside
 
access-group inside_access_in in interface inside
access-group kcata_access_in in interface kcata

Open in new window

0
Comment
Question by:jokes54321
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22858703
A better way to do this would be a static like this:

static (inside,kcata) 10.40.117.0 10.40.117.0 netmask 255.255.255.0

This says that 10.40.117 inside is same 10.40.117.0 on kcata interface, effectively natting it to itself

But, you also have to allow their network in through an access-list
access-list kcata permit ip 192.168.6.0 255.255.255.0 10.40.117.0 255.255.255.0
access-group kcata in interface kcata
0
 

Author Comment

by:jokes54321
ID: 22858826
Thank you for the reply. This sounds reasonable and I will certainly give it a shot. Should my above configuration work though?

Thank you,

Denny
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22859501
i don't know, you didn't show the whole config.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question