https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657538#M194977 <P>Hi All,</P><P>&nbsp;</P><P>I have asa 5525 version 9.1(2)</P><P>i want to allow the traffice from outsid to inside and inside to outside. Also attached a diagram.</P><P>Thanks</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:46:59 GMT infra.admin1 2019-03-12T05:46:59Z https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657538#M194977 <P>Hi All,</P><P>&nbsp;</P><P>I have asa 5525 version 9.1(2)</P><P>i want to allow the traffice from outsid to inside and inside to outside. Also attached a diagram.</P><P>Thanks</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:46:59 GMT https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657538#M194977 infra.admin1 2019-03-12T05:46:59Z https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657539#M194978 <P>Hi Admin,</P><P>Configure a static NAT on the ASA, as you require bi-directional traffic flow.</P><P>Static NAT configuration example:</P><P><U>http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1106703</U></P><P>Hope this helps.</P><P>Regards,</P><P>Shrinkhala</P> Thu, 16 Apr 2015 13:42:14 GMT https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657539#M194978 shrising 2015-04-16T13:42:14Z https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657540#M194980 <P>Hi. What traffic do you want to allow in, and what do you want to allow in.</P><P>Remember that traffic from a higher security level interface to a lower security level interface. &nbsp;This traffic will be statefully inspected (except for icmp by default) And the return traffic will be allowed. So this means for outgoing Internet traffic all you need is dynamic PAT ( no ACL) if your outside interface security level is lower than your inside. For traffic coming from outside you need an access rule (ACL). If you need inside servers available on the outside, &nbsp;you eill need static NAT rules.</P> Thu, 16 Apr 2015 17:31:39 GMT https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657540#M194980 Andre Neethling 2015-04-16T17:31:39Z https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657541#M194982 <P>Hi Andre,</P><P>&nbsp;</P><P>Thanks for the reply and i configure as per below configuration. And i want allow all kind of traffic including ICMP.</P><P>&nbsp;</P><P>object network InsideTOoutside</P><P>host 11.11.11.2</P><P>nat(inside,outside) static 12.12.12.1</P><P>&nbsp;</P><P>access-lis 101 permit ip any any</P><P>access-group 101 in interface outside</P><P>&nbsp;</P><P>ip route 0.0.0.0 12.12.12.2</P><P>11.11.11.2----------------------inside server ip</P><P>12.12.12.1----------------------firewall outside ip with 29 subnet mask</P><P>12.12.12.2-----------------------internet gateway with 29 subnet mask</P><P>&nbsp;</P><P>but its not working even from firewall 12.12.12.2 is not pingable.</P><P>Thanks</P><P>&nbsp;</P> Fri, 17 Apr 2015 06:26:06 GMT https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657541#M194982 infra.admin1 2015-04-17T06:26:06Z https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657542#M194984 <P>Hi ,</P><P>The NAT rule is correct.<BR /><BR />You can troubleshoot the following:</P><P>-Run a packet tracer to confirm if the firewall is allowing the traffic:<BR /><BR />packet-tracer input inside icmp&nbsp;<SPAN style="font-size:11.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;; color:#4B4B4B">11.11.11.2 8 0 4.2.2.2 detailed<P></P></SPAN></P><P>- Check the arp entry for the gateway on the outside interface</P><P>sh arp | inc&nbsp;<SPAN style="font-size:11.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;; color:#4B4B4B">12.12.12.2</SPAN></P><P><SPAN style="font-size:11.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;; color:#4B4B4B"><P>Confirm the entry is not stale. </P></SPAN></P><P><SPAN style="font-size:11.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;; color:#4B4B4B"><P>clear&nbsp;the ARP entry. Ping the gateway</P></SPAN></P><P><SPAN style="font-size:11.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;; color:#4B4B4B"><P>Check if the firewall learns the ARP entry&nbsp;again.</P>&nbsp;(if it does not try changing the cable or check with your ISP).</SPAN></P><P><SPAN style="font-size:11.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;; color:#4B4B4B">- You can also test by enabling ICMP inspection:&nbsp;</SPAN><BR /><BR />ASA(config)# fixup protocol icmp</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Apr 2015 08:25:16 GMT https://community.cisco.com/t5/network-security/nat-9-1/m-p/2657542#M194984 shrising 2015-04-17T08:25:16Z