Dan560
asked on
NAT Question...
Hi,
I have a question that for the life of me I cannot work out the answer to.
I have Cisco asa 5505 it's IP address is 172.25.25.3.
I have a VLAN from this Firewall that connects to my telephone system 192.168.200.x.
Please note I have no management access to this system.
I have configured it so that everything on 172.25.25.x can connect to the telephone system using the VLAN as it's gateway. The VLAN IP 192.168.200.253 - This setup works ok.
However I now need to allow everything on telephone network to connect to my 172.25.25.x network.
Can anyone explain the setup for me? I just cannot get my head round what I need to change on my side.
I can post config if needed.
I have a question that for the life of me I cannot work out the answer to.
I have Cisco asa 5505 it's IP address is 172.25.25.3.
I have a VLAN from this Firewall that connects to my telephone system 192.168.200.x.
Please note I have no management access to this system.
I have configured it so that everything on 172.25.25.x can connect to the telephone system using the VLAN as it's gateway. The VLAN IP 192.168.200.253 - This setup works ok.
However I now need to allow everything on telephone network to connect to my 172.25.25.x network.
Can anyone explain the setup for me? I just cannot get my head round what I need to change on my side.
I can post config if needed.
Please post the config. That should make it a bit easier for us.
ASKER
Please find the config attached.
config.txt
config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Are you sure this will work. I am not sure why the IP address is repeated in your command?
Can you please explain?
static (inside,TN) 172.25.25.0 172.25.25.0 netmask 255.255.255.0
Can you please explain?
static (inside,TN) 172.25.25.0 172.25.25.0 netmask 255.255.255.0
When going from a high security to a low security interface in an ASA you need to nat (this is a security feature). By doing it this way traffic from the inside will be natted to itself so 172.25.25.1 will appear as 172.25.25.1 on the TN network (for example).
ASKER
I haven't had a chance to test this yet, I think I will only be able to do it out of hours.
However I have just read this question..
https://www.experts-exchange.com/questions/27248707/ASA-same-security-traffic.html
Maybe I only need to set my TN interface with the same security level i.e 100
However I have just read this question..
https://www.experts-exchange.com/questions/27248707/ASA-same-security-traffic.html
Maybe I only need to set my TN interface with the same security level i.e 100
That is also an option if you don't mind those interfaces having the same security level. In this case I don't think it will be a problem because you're not using the TN as a DMZ.
ASKER
your command worked.thank you.
My pleasure :)
Thx 4 the points.
Thx 4 the points.