Solved

ASA 5505 Nat Exemption

Posted on 2008-10-31
3
1,225 Views
Last Modified: 2012-08-14
I have configured a Cisco ASA 5505 to sit between our network and a vendor network. We do not want NAT running between the two. The vendor controls the router attached to VLAN12 on the ASA.

I do not get ping replies from the vendors router. I suspect they don't have a route configured pointing to the ASA for my internal subnet but they insist the problem is on my end.

If the problem is on my end then the only thing I can think of is it's with the NAT exemption settings.
Below is the snippet of my NAT config.

The IP Address of their router is 192.168.6.2

As a test, I reconfigured the ASA to NAT internal traffic to the kcata interface and could ping the router then, just not with NAT exemption

Does it look correct for bi-directional comminication with NAT exemption?

Thanks,

Denny
 

 


interface Vlan1

 nameif inside

 security-level 100

 ip address 10.40.117.132 255.255.255.128 

!

interface Vlan12

 description Port Connecting to KCATA

 nameif kcata

 security-level 10

 ip address 192.168.6.1 255.255.255.0 

!

access-list inside_access_in extended permit icmp 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 

access-list kcata_access_in extended permit icmp 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 

access-list inside_nat0_outbound extended permit ip 10.40.117.128 255.255.255.128 192.168.6.0 255.255.255.0 

access-list kcata_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.40.117.128 255.255.255.128 
 

nat (inside) 0 access-list inside_nat0_outbound

nat (kcata) 0 access-list kcata_nat0_outbound outside
 

access-group inside_access_in in interface inside

access-group kcata_access_in in interface kcata

Open in new window

0
Comment
Question by:jokes54321
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22858703
A better way to do this would be a static like this:

static (inside,kcata) 10.40.117.0 10.40.117.0 netmask 255.255.255.0

This says that 10.40.117 inside is same 10.40.117.0 on kcata interface, effectively natting it to itself

But, you also have to allow their network in through an access-list
access-list kcata permit ip 192.168.6.0 255.255.255.0 10.40.117.0 255.255.255.0
access-group kcata in interface kcata
0
 

Author Comment

by:jokes54321
ID: 22858826
Thank you for the reply. This sounds reasonable and I will certainly give it a shot. Should my above configuration work though?

Thank you,

Denny
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22859501
i don't know, you didn't show the whole config.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now