Solved

ASA 5505 Nat Exemption

Posted on 2008-10-31
3
1,237 Views
Last Modified: 2012-08-14
I have configured a Cisco ASA 5505 to sit between our network and a vendor network. We do not want NAT running between the two. The vendor controls the router attached to VLAN12 on the ASA.

I do not get ping replies from the vendors router. I suspect they don't have a route configured pointing to the ASA for my internal subnet but they insist the problem is on my end.

If the problem is on my end then the only thing I can think of is it's with the NAT exemption settings.
Below is the snippet of my NAT config.

The IP Address of their router is 192.168.6.2

As a test, I reconfigured the ASA to NAT internal traffic to the kcata interface and could ping the router then, just not with NAT exemption

Does it look correct for bi-directional comminication with NAT exemption?

Thanks,

Denny
 

 


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.40.117.132 255.255.255.128 
!
interface Vlan12
 description Port Connecting to KCATA
 nameif kcata
 security-level 10
 ip address 192.168.6.1 255.255.255.0 
!
access-list inside_access_in extended permit icmp 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 
access-list kcata_access_in extended permit icmp 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 
access-list inside_nat0_outbound extended permit ip 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 
access-list kcata_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 
nat (inside) 0 access-list inside_nat0_outbound
nat (kcata) 0 access-list kcata_nat0_outbound outside
 
access-group inside_access_in in interface inside
access-group kcata_access_in in interface kcata

Open in new window

0
Comment
Question by:jokes54321
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22858703
A better way to do this would be a static like this:

static (inside,kcata) 10.40.117.0 10.40.117.0 netmask 255.255.255.0

This says that 10.40.117 inside is same 10.40.117.0 on kcata interface, effectively natting it to itself

But, you also have to allow their network in through an access-list
access-list kcata permit ip 192.168.6.0 255.255.255.0 10.40.117.0 255.255.255.0
access-group kcata in interface kcata
0
 

Author Comment

by:jokes54321
ID: 22858826
Thank you for the reply. This sounds reasonable and I will certainly give it a shot. Should my above configuration work though?

Thank you,

Denny
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22859501
i don't know, you didn't show the whole config.
0

Featured Post

Everything You Need to Know about Petya 2.0

Get an overview of the what, when and how of Petya 2.0  from our threat analyst Marc Labilerte, as well as a look at how WatchGuard Total Security Suite protected our customers from the recent attack!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question