https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929878#M937195 <HTML><HEAD></HEAD><BODY><P>Ok the issue is I need to NAT a couple of address'. with it all configured as above the issue is as follows; the hosts that have the NAT address cannot access the outside network (internet) nor can the outside see the selected services that have been set for them.</P><P>I have run Packet tracer for www packets out and it fails on an access list which is the system default deny any any Implicit rule.</P><P>I have rules that allow www from inside and they work fine when there are no NAT configured address' I have conpared this with another ASA that works and can't see any difference.</P><P>I am lost at this point and all help is greatly appreciated.</P><P>Regards</P><P>Greg</P></BODY></HTML> Thu, 29 May 2008 06:26:13 GMT gregwilmot 2008-05-29T06:26:13Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929872#M937186 <P>Hi</P><P>i am trying to configure static nat for one address and as soon as i add the nat rule the internal host stops seeing the outside world. what have i forgotten to do? </P><P>All help greatly appreciated, First timer!!</P><P></P> Mon, 11 Mar 2019 12:50:30 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929872#M937186 gregwilmot 2019-03-11T12:50:30Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929873#M937188 <HTML><HEAD></HEAD><BODY><P>Most likely, you will need to post your NAT configuration for review.</P><P></P></BODY></HTML> Tue, 27 May 2008 16:18:26 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929873#M937188 michael.leblanc 2008-05-27T16:18:26Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929874#M937189 <HTML><HEAD></HEAD><BODY><P>Hi thanks for your interest here you are.</P><P>ASA Version 7.2(3) </P><P>!</P><P>hostname N***********</P><P>domain-name d***********</P><P>enable password xxx</P><P>names</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> dhcp client update dns</P><P> ip address 192.168.10.254 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address 6**.***.***.2 255.255.255.0 </P><P>!</P><P>interface Vlan3</P><P> no forward interface Vlan1</P><P> nameif dmz</P><P> security-level 50</P><P> ip address dhcp </P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>ftp mode passive</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>dns domain-lookup inside</P><P>dns domain-lookup outside</P><P>dns server-group DefaultDNS</P><P> name-server 192.168.2.20</P><P> name-server 192.168.10.202</P><P> domain-name *****************</P><P>same-security-traffic permit intra-interface</P><P>object-group network Trusted-LAN-Hosts</P><P> network-object host 192.168.10.10</P><P> network-object host 192.168.10.197</P><P> network-object host 192.168.10.198</P><P> network-object host 192.168.10.202</P><P>access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq www </P><P>access-list inside_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq domain </P><P>access-list inside_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq isakmp </P><P>access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq ldap </P><P>access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq https </P><P>access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 </P><P>access-list outside_access_in extended permit esp any 6**.***.***.0 255.255.255.0 </P><P>access-list outside_access_in extended permit gre any 6**.***.***.0 255.255.255.0 </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu dmz 1500</P><P>ip local pool Remote-pool 192.168.4.1-192.168.4.254 mask 255.255.255.0</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-523.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 192.168.10.0 255.255.255.0</P><P>static (inside,outside) 6**.***.***.10 192.168.10.202 netmask 255.255.255.255 </P><P>access-group inside_access_in in interface inside</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 6**.***.***.1 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>http server enable</P><P>http 192.168.10.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P></BODY></HTML> Wed, 28 May 2008 06:28:22 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929874#M937189 gregwilmot 2008-05-28T06:28:22Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929875#M937190 <HTML><HEAD></HEAD><BODY><P>I'll let someone more familiar with the ASA help you.</P></BODY></HTML> Wed, 28 May 2008 12:48:47 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929875#M937190 michael.leblanc 2008-05-28T12:48:47Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929876#M937191 <HTML><HEAD></HEAD><BODY><P>Thanks </P><P>I also have dug this out if it helps</P><P>Result of the command: "sh running-config nat"</P><P></P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 192.168.10.0 255.255.255.0</P><P></P><P>All I need to do is set NAT for a couple of IP for a couple of services.</P><P>thanks all for yyour assitance in advance.</P><P>Greg</P></BODY></HTML> Wed, 28 May 2008 14:48:20 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929876#M937191 gregwilmot 2008-05-28T14:48:20Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929877#M937193 <HTML><HEAD></HEAD><BODY><P>Greg,</P><P></P><P>Could you be more specific about your problem. Config looks fine.</P></BODY></HTML> Wed, 28 May 2008 14:55:29 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929877#M937193 acomiskey 2008-05-28T14:55:29Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929878#M937195 <HTML><HEAD></HEAD><BODY><P>Ok the issue is I need to NAT a couple of address'. with it all configured as above the issue is as follows; the hosts that have the NAT address cannot access the outside network (internet) nor can the outside see the selected services that have been set for them.</P><P>I have run Packet tracer for www packets out and it fails on an access list which is the system default deny any any Implicit rule.</P><P>I have rules that allow www from inside and they work fine when there are no NAT configured address' I have conpared this with another ASA that works and can't see any difference.</P><P>I am lost at this point and all help is greatly appreciated.</P><P>Regards</P><P>Greg</P></BODY></HTML> Thu, 29 May 2008 06:26:13 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929878#M937195 gregwilmot 2008-05-29T06:26:13Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929879#M937196 <HTML><HEAD></HEAD><BODY><P>Greg</P><P></P><P>would you please clarify why you have both the .10 n/w and the .2 n/w in your no nat statement? What network are the users (who cant access the outside) on? Also, have you ran the Live log in debugging mode to see why the packets are being dropped?</P><P></P><P>access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 </P></BODY></HTML> Thu, 29 May 2008 08:31:09 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929879#M937196 SOL10 2008-05-29T08:31:09Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929880#M937197 <HTML><HEAD></HEAD><BODY><P>hi </P><P>the access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 refers to the vpn tunel that is in place between the two networks.</P><P></P><P>static ip address' from the .10 network can not access the outside world ( internet )</P></BODY></HTML> Thu, 29 May 2008 09:17:16 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929880#M937197 gregwilmot 2008-05-29T09:17:16Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929881#M937198 <HTML><HEAD></HEAD><BODY><P>Grege</P><P></P><P>try changing the seq number of your nat's (not your statics). as seq 0 is a no nat and seq1 is then asking the same network .10 to to be translated. </P><P></P><P>Have you tried using the Live Log viewer? try this and let me know how you get on</P><P>Regards</P><P></P><P>Sol</P></BODY></HTML> Thu, 29 May 2008 12:10:16 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929881#M937198 SOL10 2008-05-29T12:10:16Z https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929882#M937200 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>thanks for that. I have looked at the live viewer and it doesn't display any deny's etc. it does display the tear down on the particular NAT address. so this would say to me it is getting out but the response is not getting back in. I am not sure really.</P><P>how do i change teh seq no's?</P><P></P><P>thanks for your assistance.</P><P></P><P>Greg</P></BODY></HTML> Fri, 30 May 2008 07:25:59 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa5505/m-p/929882#M937200 gregwilmot 2008-05-30T07:25:59Z