https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013661#M918755 <P>In attached configuration on asa5510 traffic will not pass through firewall from computers assigned to static nat. tested from ip 192.168.100.99 with dns,www and cannot ping hosts on dmz.</P><P></P><P></P><P></P><P></P><P></P> Mon, 11 Mar 2019 12:56:33 GMT dcholl1 2019-03-11T12:56:33Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013661#M918755 <P>In attached configuration on asa5510 traffic will not pass through firewall from computers assigned to static nat. tested from ip 192.168.100.99 with dns,www and cannot ping hosts on dmz.</P><P></P><P></P><P></P><P></P><P></P> Mon, 11 Mar 2019 12:56:33 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013661#M918755 dcholl1 2019-03-11T12:56:33Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013662#M918756 <HTML><HEAD></HEAD><BODY><P>Sorry config attached</P><P></P><P> </P><P></P></BODY></HTML> Sat, 07 Jun 2008 10:58:14 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013662#M918756 dcholl1 2008-06-07T10:58:14Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013663#M918757 <HTML><HEAD></HEAD><BODY><P>Hi Dennis,</P><P> Please add the following</P><P>access-list LAN_access_in line 2 permit ip 192.168.100.0 255.255.255.0 10.100.100.0 255.255.255.0</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp</P><P></P><P>I also strongly recommend to upgrade your IOS to at least 7.2(2)</P><P></P><P>Regards</P></BODY></HTML> Sat, 07 Jun 2008 12:40:39 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013663#M918757 Alan Huseyin Kayahan 2008-06-07T12:40:39Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013664#M918759 <HTML><HEAD></HEAD><BODY><P>This did not help</P><P>Have upgraded to 7.2 and can now ping to dmz but all access to wan is blocked on any host where a static nat rule applies ex. host 192.168.100.99 cannot access external webpages but host 192.168.100.33 can. Have also tested from WAN side all static rules seem to be working properly I can access https webserver from WAN address.</P><P></P><P>Have attached a new copy of running config please HELP!!!!</P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Tue, 10 Jun 2008 22:03:29 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013664#M918759 dcholl1 2008-06-10T22:03:29Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013665#M918761 <HTML><HEAD></HEAD><BODY><P>You static NAT rules contain 192.168.100.199 192.168.100.133 (One Hundreed and Thirty Three)</P><P></P><P>Yet, you are trying to test using 192.168.100.99 and 192.168.100.33, these will be subject to the PAT (global command) and not the NAT.</P><P></P><P>Even then that should work fine.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 11 Jun 2008 01:33:47 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013665#M918761 Farrukh Haroon 2008-06-11T01:33:47Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013666#M918764 <HTML><HEAD></HEAD><BODY><P>I checked the config I posted and you are correct seems that I must have deleted the static nat rule I was testing with I will have to verify the running config on the firewall then retest. Thank You for the response. I also have a question everything on this config works execpt traffic from hosts with a static route to the WAN interface. On the hosts the firewall is not configured as the primary gateway. The primary gateway is 192.168.100.1 which then routes all traffic not specified by a route statement to the firewall @ 192.168.100.232 could this be the problem If so can I fix this without changing the hosts gateway as they do not communicate well with our internal network that way.</P></BODY></HTML> Wed, 11 Jun 2008 09:44:20 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013666#M918764 dcholl1 2008-06-11T09:44:20Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013667#M918766 <HTML><HEAD></HEAD><BODY><P>You could enable proxy arp on the primary gateway's interface on which these hosts are connected. But proxy arp is not part of good network design.</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Wed, 11 Jun 2008 09:57:14 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013667#M918766 Farrukh Haroon 2008-06-11T09:57:14Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013668#M918768 <HTML><HEAD></HEAD><BODY><P>I will keep that in mind but should this work setup the way it is now??</P><P>Should I maybe put all hosts that need static nat on the dmz interface where the firewall is the gateway?</P><P></P><P></P></BODY></HTML> Wed, 11 Jun 2008 10:20:43 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013668#M918768 dcholl1 2008-06-11T10:20:43Z https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013669#M918773 <HTML><HEAD></HEAD><BODY><P>As a general rule, hosts that required Outside &gt;&gt; Internal access are placed in DMZ, other hosts that just need Inside &gt;&gt; Internet access, need not be placed in the DMZ.</P><P></P><P>All other hosts not covered by NAT should go out fine using the dynamic NAT nat (inside) statement, as long as they can reach their default gateway properly (or the routing is OK).</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 11 Jun 2008 10:42:35 GMT https://community.cisco.com/t5/network-security/static-nat-access-issues/m-p/1013669#M918773 Farrukh Haroon 2008-06-11T10:42:35Z