JDL_Tech
asked on
asa static nat
we are replacing our PIX with an ASA and im trying to get the NAT to work properly with little luck. below is the config for both my PIX first and ASA second. I can ping and connect to any of the addresses on the static nat list on the pix. when I set up a similar rule on the ASA I can not connect. I can ping the public IP on the interface but thats it. am I missing something? even when I set up the same rules on the ASA it didn't want to work.
static (inside,outside) xxx.xxx.219.124 10.10.4.124 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.244 10.10.4.104 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.125 10.10.4.25 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.252 10.10.4.1 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.250 10.10.10.29 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.251 10.10.10.216 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.254 10.10.10.81 netmask 255.255.255.255
nat (inside) 1 10.10.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 xxx.xxx.219.254 netmask 255.255.255.255
interface Ethernet0
nameif WAN
security-level 0
ip address xxx.xxx.219.210 255.255.255.0
-------------------------- ---------- ---------- ---------- -------
global (outside) 1 xxx.xxx.219.151
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) xxx.xxx.219.211 10.10.10.29 netmask 255.255.255.255
interface Ethernet0/1
description external
nameif outside
security-level 0
ip address xxx.xxx.219.150 255.255.255.0
static (inside,outside) xxx.xxx.219.124 10.10.4.124 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.244 10.10.4.104 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.125 10.10.4.25 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.252 10.10.4.1 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.250 10.10.10.29 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.251 10.10.10.216 netmask 255.255.255.255
static (inside,outside) xxx.xxx.219.254 10.10.10.81 netmask 255.255.255.255
nat (inside) 1 10.10.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 xxx.xxx.219.254 netmask 255.255.255.255
interface Ethernet0
nameif WAN
security-level 0
ip address xxx.xxx.219.210 255.255.255.0
--------------------------
global (outside) 1 xxx.xxx.219.151
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) xxx.xxx.219.211 10.10.10.29 netmask 255.255.255.255
interface Ethernet0/1
description external
nameif outside
security-level 0
ip address xxx.xxx.219.150 255.255.255.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
did you enable access-group command the packets from outside?
irmoore solution will be more effective
ASKER
its not so much the ping I am worried about. If I add static addresses to my PIX everything works great I can change access rules etc to make services work. when I add the static to my ASA using the same configurations it does not pick up the new addresses. even when I allow any any both directions. could there be a conflict in which device is responding to the request? is there another step to make static nat work on ASA?
enable
conf t
nat-control
add the above commands
conf t
nat-control
add the above commands
Arp cache on the upstream router. using the same IP address on a different MAC address. Reboot the cable modem..
ASKER
sorry having a *banging head* moment here it was the route all along. The default route on my core router is pointing to the PIX so static info on the ASA doesn't really matter. i'll go back to networking 101 very soon
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global