https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279420#M859351 <HTML><HEAD></HEAD><BODY><P>Hi Jon, below is from cisco.com</P><P></P><P>"outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT."</P><P></P><P>anyway, you think by applying the statements in different order could be the issue? I'm trying to ping a device on the outside.</P><P></P><P>I will give it a try..thanks!</P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 16 Jun 2009 09:17:21 GMT opers13 2009-06-16T09:17:21Z https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279418#M859347 <P>with my last post, I got bidirectional nat to work from outside -&gt; inside. Config below:</P><P></P><P>global (inside) 99 10.153.99.1</P><P>nat (outside) 99 10.148.12.0 255.255.255.0 outside</P><P></P><P>Now, the problem is getting NAT to work from inside -&gt; outside. This is the error message:</P><P></P><P>%ASA-3-305005: No translation group found for icmp src inside:10.153.13.18 dst....</P><P></P><P></P><P>So when I config the following everything breaks: (meaning NAT in any direction stops working)</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 1 10.153.0.0 255.255.0.0</P><P></P><P>nat-control is disabled.</P><P></P><P>thanks in advance!</P><P></P> Mon, 11 Mar 2019 15:43:52 GMT https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279418#M859347 opers13 2019-03-11T15:43:52Z https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279419#M859349 <HTML><HEAD></HEAD><BODY><P>Alex</P><P></P><P>global (inside) 99 10.153.99.1</P><P>nat (outside) 99 10.148.12.0 255.255.255.0 outside </P><P></P><P>this not bi-directional NAT. What it does is translate any incoming 10.148.12.x address on the outside to 10.153.99.1 on the inside</P><P></P><P>Regardless, i'm not sure why your'e other nat is not working.</P><P></P><P>Try </P><P></P><P>1) removing both NAT statements. Then apply </P><P></P><P>nat (inside) 1 10.153.0.0 255.255.0.0</P><P>global (outside) 1 interface </P><P></P><P>and then </P><P></P><P>global (inside) 99 10.153.99.1</P><P>nat (outside) 99 10.148.12.0 255.255.255.0 outside </P><P></P><P>Don't forget to do a clear xlate when you make NAT changes.</P><P></P><P>Also your ping, what device are you pinging and is it located on the outside of the ASA ?</P><P></P><P>Jon</P><P></P><P>Jon</P></BODY></HTML> Tue, 16 Jun 2009 09:06:59 GMT https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279419#M859349 Jon Marshall 2009-06-16T09:06:59Z https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279420#M859351 <HTML><HEAD></HEAD><BODY><P>Hi Jon, below is from cisco.com</P><P></P><P>"outside (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT."</P><P></P><P>anyway, you think by applying the statements in different order could be the issue? I'm trying to ping a device on the outside.</P><P></P><P>I will give it a try..thanks!</P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 16 Jun 2009 09:17:21 GMT https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279420#M859351 opers13 2009-06-16T09:17:21Z https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279421#M859352 <HTML><HEAD></HEAD><BODY><P>Alex</P><P></P><P>I stand corrected <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> - +5</P><P></P><P>Jon</P></BODY></HTML> Tue, 16 Jun 2009 09:22:14 GMT https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279421#M859352 Jon Marshall 2009-06-16T09:22:14Z https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279422#M859353 <HTML><HEAD></HEAD><BODY><P>Jon, </P><P></P><P>got this to work with the following:</P><P></P><P>Enabled same-security level:</P><P></P><P>same-security-traffic permit inter-interface</P><P></P><P>Changed security-level from 0 to 100</P><P></P><P>interface Ethernet0/2</P><P> speed 100</P><P> duplex full</P><P> nameif test</P><P> security-level 100</P><P> ip address 10.153.0.205 255.255.255.252</P><P></P><P></P><P>Added NAT 0:</P><P></P><P>nat (test) 0 access-list nonat</P><P></P><P>access-list nonat extended permit ip any any</P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 22 Jun 2009 17:52:40 GMT https://community.cisco.com/t5/network-security/bidirectional-nat-works-but/m-p/1279422#M859353 opers13 2009-06-22T17:52:40Z