Solved

ASA 5505 Nat Exemption

Posted on 2008-10-31
3
1,224 Views
Last Modified: 2012-08-14
I have configured a Cisco ASA 5505 to sit between our network and a vendor network. We do not want NAT running between the two. The vendor controls the router attached to VLAN12 on the ASA.

I do not get ping replies from the vendors router. I suspect they don't have a route configured pointing to the ASA for my internal subnet but they insist the problem is on my end.

If the problem is on my end then the only thing I can think of is it's with the NAT exemption settings.
Below is the snippet of my NAT config.

The IP Address of their router is 192.168.6.2

As a test, I reconfigured the ASA to NAT internal traffic to the kcata interface and could ping the router then, just not with NAT exemption

Does it look correct for bi-directional comminication with NAT exemption?

Thanks,

Denny
 

 


interface Vlan1

 nameif inside

 security-level 100

 ip address 10.40.117.132 255.255.255.128 

!

interface Vlan12

 description Port Connecting to KCATA

 nameif kcata

 security-level 10

 ip address 192.168.6.1 255.255.255.0 

!

access-list inside_access_in extended permit icmp 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 

access-list kcata_access_in extended permit icmp 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 

access-list inside_nat0_outbound extended permit ip 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 

access-list kcata_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 

nat (inside) 0 access-list inside_nat0_outbound

nat (kcata) 0 access-list kcata_nat0_outbound outside
 

access-group inside_access_in in interface inside

access-group kcata_access_in in interface kcata

Open in new window

0
Comment
Question by:jokes54321
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
A better way to do this would be a static like this:

static (inside,kcata) 10.40.117.0 10.40.117.0 netmask 255.255.255.0

This says that 10.40.117 inside is same 10.40.117.0 on kcata interface, effectively natting it to itself

But, you also have to allow their network in through an access-list
access-list kcata permit ip 192.168.6.0 255.255.255.0 10.40.117.0 255.255.255.0
access-group kcata in interface kcata
0
 

Author Comment

by:jokes54321
Comment Utility
Thank you for the reply. This sounds reasonable and I will certainly give it a shot. Should my above configuration work though?

Thank you,

Denny
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
i don't know, you didn't show the whole config.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now