https://community.cisco.com/t5/network-security/asa-5510-implicit-nat-rule/m-p/1396228#M703760 <HTML><HEAD></HEAD><BODY><P>should have posted the routes and few static nats inside</P><P></P><P>static (SKYHAWK,CTC) tcp interface ftp 10.9.1.3 ftp netmask 255.255.255.255</P><P>static (SKYHAWK,CTC) tcp interface www 10.9.1.3 www netmask 255.255.255.255 <BR />access-group SBC_access_in in interface CTC<BR />route CTC 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx</P><P>route SKYHAWK 10.10.0.0 255.255.0.0 10.9.1.2 1</P></BODY></HTML> Thu, 08 Apr 2010 14:56:51 GMT ISCONTACT 2010-04-08T14:56:51Z https://community.cisco.com/t5/network-security/asa-5510-implicit-nat-rule/m-p/1396227#M703758 <P>verions 7.0(2)</P><P></P><P>I had 1 internal server that is getting out through asa. I added a 2nd server but it does not have access. I've read that the implicit nat rule should work for both and I see nothing in the config that would show otherwise.</P><P></P><P>10.9.1.3 can currently ping out, browse , etc.&nbsp; 10.9.1.4 cannot.</P><P></P><P>10.9.1.4 can ping the inside interface and leave the asa, but it does not return.</P><P></P><P>when I ping with 10.9.1.3 the ping message returns and includes the outside interface in the message.</P><P>when the 10.9.1.4 pings, it tries to return, but the outside interface isnt included in the messae.</P><P></P><P></P><P>Pertinent lines on the config.</P><P></P><P>interface Ethernet0/0<BR /> nameif CTC<BR /> security-level 0<BR /> ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx</P><P></P><P>asdm location 10.9.1.0 255.255.255.0 SKYHAWK<BR />asdm location 10.9.1.2 255.255.255.255 SKYHAWK<BR />asdm location 10.9.1.4 255.255.255.255 SKYHAWK</P><P></P><P>object-group service Internet tcp<BR /> description HTTP; DNS; HTTPS<BR /> port-object eq www<BR /> port-object eq domain<BR /> port-object eq https</P><P></P><P>access-list SBC_access_in extended permit tcp any interface CTC eq https <BR />access-list SBC_access_in extended permit tcp any interface CTC eq www</P><P></P><P>access-list site-tosite1 extended permit ip 10.10.0.0 255.255.0.0 172.17.3.0 255.255.255.0 <BR />access-list site-to-stie1 extended permit ip 10.9.1.0 255.255.255.0 172.17.3.0 255.255.255.0</P><P>access-list site-tosite2 extended permit ip 10.10.0.0 255.255.0.0 172.17.4.0 255.255.255.0 <BR />access-list site-to-stie2 extended permit ip 10.9.1.0 255.255.255.0 172.17.4..0 255.255.255.0</P><P></P><P>access-list SKYHAWK_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.17.3.0 255.255.255.0 <BR />access-list SKYHAWK_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.17.4.0 255.255.255.0</P><P></P><P>global (CTC) 10 interface<BR />nat (SKYHAWK) 0 access-list SKYHAWK_nat0_outbound<BR />nat (management) 10 0.0.0.0 0.0.0.0</P><P></P><P>icmp permit any CTC<BR />icmp permit any echo SKYHAWK<BR />icmp permit any echo-reply SKYHAWK</P><P></P><P></P><P></P><P>these 2 lines bother me, Ive had technicians look at the device before, these appear left over, there is no other reference to the names.</P><P>access-list SKYHAWK_access_out extended permit ip any any <BR />access-list SKYHAWK_access_in extended permit ip any any</P><P></P><P>should they be deleted?</P> Mon, 11 Mar 2019 17:30:26 GMT https://community.cisco.com/t5/network-security/asa-5510-implicit-nat-rule/m-p/1396227#M703758 ISCONTACT 2019-03-11T17:30:26Z https://community.cisco.com/t5/network-security/asa-5510-implicit-nat-rule/m-p/1396228#M703760 <HTML><HEAD></HEAD><BODY><P>should have posted the routes and few static nats inside</P><P></P><P>static (SKYHAWK,CTC) tcp interface ftp 10.9.1.3 ftp netmask 255.255.255.255</P><P>static (SKYHAWK,CTC) tcp interface www 10.9.1.3 www netmask 255.255.255.255 <BR />access-group SBC_access_in in interface CTC<BR />route CTC 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx</P><P>route SKYHAWK 10.10.0.0 255.255.0.0 10.9.1.2 1</P></BODY></HTML> Thu, 08 Apr 2010 14:56:51 GMT https://community.cisco.com/t5/network-security/asa-5510-implicit-nat-rule/m-p/1396228#M703760 ISCONTACT 2010-04-08T14:56:51Z