https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716718#M421668 <P>Hi guys i am a bit confused, please help me ..</P><P>RTR2----(Outside)ASA(Inside)----Rtr1</P><P></P><P>the outside n/w range is 192.168.1.0/24 with Rtr2 having .2 and ASA having .1</P><P>the inside n/w range is 192.168.2.0 with asa having .1 and Rtr1 hving .2</P><P></P><P>now i want to perform dynamic outside nat for Rtr2.</P><P>nat (outside) 1 192.168.1.0 255.255.255.0</P><P>global (inside) 1 interface</P><P></P><P>or </P><P>nat (outside) 1 192.168.1.0 255.255.255.0 outside </P><P>global (inside) 1 interface</P><P>-------</P><P>i knw that outside keyword is used for outside nat , and when i try to configure </P><P>nat command on outside intf, it gives me a warning also..but it takes the command.</P><P></P><P>my doubt is why outside nat doesnt works with outside keyword.I hope you guys got my doubt..</P> Fri, 21 Feb 2020 09:39:07 GMT diptanshusingh 2020-02-21T09:39:07Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716718#M421668 <P>Hi guys i am a bit confused, please help me ..</P><P>RTR2----(Outside)ASA(Inside)----Rtr1</P><P></P><P>the outside n/w range is 192.168.1.0/24 with Rtr2 having .2 and ASA having .1</P><P>the inside n/w range is 192.168.2.0 with asa having .1 and Rtr1 hving .2</P><P></P><P>now i want to perform dynamic outside nat for Rtr2.</P><P>nat (outside) 1 192.168.1.0 255.255.255.0</P><P>global (inside) 1 interface</P><P></P><P>or </P><P>nat (outside) 1 192.168.1.0 255.255.255.0 outside </P><P>global (inside) 1 interface</P><P>-------</P><P>i knw that outside keyword is used for outside nat , and when i try to configure </P><P>nat command on outside intf, it gives me a warning also..but it takes the command.</P><P></P><P>my doubt is why outside nat doesnt works with outside keyword.I hope you guys got my doubt..</P> Fri, 21 Feb 2020 09:39:07 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716718#M421668 diptanshusingh 2020-02-21T09:39:07Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716719#M421669 <HTML><HEAD></HEAD><BODY><P>You are correct, this is the correct way to do it.</P><P></P><P>nat (outside) 1 192.168.1.0 255.255.255.0 outside</P><P>global (inside) 1 interface </P><P></P><P>If it is not working, check the access-list applied to the outside interface, and show xlate to confirm if you have any other existing xlates.</P><P></P><P>Pleas post the complete sanitized config if this does not help.</P></BODY></HTML> Wed, 22 Aug 2007 11:56:29 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716719#M421669 mattiaseriksson 2007-08-22T11:56:29Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716720#M421670 <HTML><HEAD></HEAD><BODY><P>Hi thanks for you reply matti..actually what i wanted to know is that why is it so that why only when we apply "outside " keyword then only it works.. bcz with out that also when say</P><P></P><P>nat (outside) 1 192.168.1.0 255.255.255.0</P><P></P><P>it means nat for the source ip address 192.168.1.0/24 to a different ip address.</P><P></P></BODY></HTML> Wed, 22 Aug 2007 13:07:14 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716720#M421670 diptanshusingh 2007-08-22T13:07:14Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716721#M421671 <HTML><HEAD></HEAD><BODY><P>The outside keyword will allow the connections to initiate from an interface with a lower security level.</P></BODY></HTML> Wed, 22 Aug 2007 13:25:43 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716721#M421671 mattiaseriksson 2007-08-22T13:25:43Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716722#M421672 <HTML><HEAD></HEAD><BODY><P>ohh ..thanks...i got it...this means when i want to configure the same thing from my DMZ--to--inside.</P><P></P><P>then i have to apply</P><P></P><P>nat (dmz) 1 0 0 outside..</P></BODY></HTML> Wed, 22 Aug 2007 13:29:32 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716722#M421672 diptanshusingh 2007-08-22T13:29:32Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716723#M421673 <HTML><HEAD></HEAD><BODY><P>Correct. </P><P></P><P>The outside keyword represent any outer (less secure) interface, not the actual outside.</P></BODY></HTML> Wed, 22 Aug 2007 13:41:20 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716723#M421673 mattiaseriksson 2007-08-22T13:41:20Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716724#M421674 <HTML><HEAD></HEAD><BODY><P>thanks for clearing my concept...</P></BODY></HTML> Wed, 22 Aug 2007 13:43:00 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716724#M421674 diptanshusingh 2007-08-22T13:43:00Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716725#M421675 <HTML><HEAD></HEAD><BODY><P>Hi matti . i have the following setup</P><P></P><P>host---(inside)Pix(Outside)---Rtr</P><P></P><P>host ip address 10.0.0.10</P><P>Pix Inside 10.0.0.1</P><P>Pix Outside 172.31.0.1</P><P>Rtr IP add:172.31.0.2(Rtr having a deault route to pix)</P><P>i tried to configure outside nat, but its not working.</P><P></P><P>hostname Firewall</P><P>enable password xxx encrypted</P><P>names</P><P></P><P>interface Ethernet0</P><P> speed 100</P><P> nameif outside</P><P> security-level 0</P><P> ip address 172.31.0.1 255.255.255.0</P><P>!</P><P>interface Ethernet1</P><P> speed 100</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.0.0.1 255.255.255.0</P><P>!</P><P>passwd xxx</P><P>ftp mode passive</P><P>access-list outside extended permit ip any any</P><P>pager lines 24</P><P>logging enable</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>nat-control</P><P>global (inside) 1 interface</P><P>nat (outside) 1 0.0.0.0 0.0.0.0 outside</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>access-group outside in interface outside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>----</P><P>i see the following messages</P><P></P><P>%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2253 to in</P><P>side:10.0.0.1/30</P><P>%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in</P><P>side:Insrv (type 8, code 0)</P><P>%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2254 to in</P><P>side:10.0.0.1/31</P><P>%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in</P><P>side:Insrv (type 8, code 0)</P><P>%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2255 to in</P><P>side:10.0.0.1/32</P><P>%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in</P><P>side:Insrv (type 8, code 0)</P><P>%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2256 to in</P><P>side:10.0.0.1/33</P><P>%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in</P><P>side:Insrv (type 8, code 0)</P><P>%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2257 to in</P><P>side:10.0.0.1/34</P><P>%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in</P><P>side:Insrv (type 8, code 0)</P><P>--------------</P><P>show xlate output</P><P>PAT Global 10.0.0.1(36) Local 172.31.0.2 ICMP id 5850</P><P>PAT Global 10.0.0.1(35) Local 172.31.0.2 ICMP id 5849</P><P></P><P></P><P></P></BODY></HTML> Wed, 22 Aug 2007 14:52:16 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716725#M421675 diptanshusingh 2007-08-22T14:52:16Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716726#M421676 <HTML><HEAD></HEAD><BODY><P>Now you are only translating the source address of the outside host, NAT for the destination address also has to be configured. You want to reach the inside host by its real address? Then you need to do this:</P><P></P><P>static (inside,outside) 10.0.0.10 10.0.0.10 netmask 255.255.255.255</P></BODY></HTML> Wed, 22 Aug 2007 15:00:46 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716726#M421676 mattiaseriksson 2007-08-22T15:00:46Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716727#M421677 <HTML><HEAD></HEAD><BODY><P>yeah got it.. but can i use dynamic nat .. in these cases instead of using static nat.</P></BODY></HTML> Wed, 22 Aug 2007 15:07:37 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716727#M421677 diptanshusingh 2007-08-22T15:07:37Z https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716728#M421678 <HTML><HEAD></HEAD><BODY><P>You can use the nat(0) to disable nat:</P><P></P><P>access-list 103 permit ip 10.0.0.0 255.255.255.0 any</P><P>nat (inside) 0 access-list 103</P><P></P><P>You can tune that acl to only allow some traffic if you want to.</P></BODY></HTML> Wed, 22 Aug 2007 15:50:19 GMT https://community.cisco.com/t5/network-security/outside-nat-in-asa/m-p/716728#M421678 mattiaseriksson 2007-08-22T15:50:19Z