Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
2
Replies

Understanding NAT, ACL & Routing Procces on Cisco ASA

Go to solution
marcelogalvan
Level 1
Level 1

‎02-05-2018 10:23 AM - edited ‎02-21-2020 07:17 AM

I normally configure my Cisco Routers without any problem. But for now, I have problem to migrate 1 ISR 2921 configuration to ASA 5508-X.

I have problems with:

- dynamic PAT

- static PAT

- inter-interface flow traffic and more, much more.

 

I saw and try various configuration examples, and sometimes it works and sometimes not. Can someone help me to understand the differences between IOS routers and ASA config?

 

Here are my problems:

1. users on network 10.20.10.0/24 (connected to OUTSIDE_BRANCHES) can't reach PCs on network 10.10.10.0/24 (INSIDE)

interface GigabitEthernet0/1.100
 vlan 100
 nameif INSIDE
 security-level 100
 ip address 10.10.10.10 255.255.255.0
interface GigabitEthernet0/2.199
 vlan 199
 nameif OUTSIDE
 security-level 0
 ip address 190.1.1.1 255.255.255.252
interface GigabitEthernet0/2.200
 vlan 200
 nameif OUTSIDE_BRANCHES
 security-level 100
 ip address 10.20.20.20 255.255.255.0

access-list INSIDE_in permit extended ip any any
access-list OUTSIDE_BRANCHES_in permit extended ip any any

 

nat(inside,outside) after-auto source dynamic

 

route 10.20.10.0 255.255.255.0  10.10.10.9

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
salman abid
Level 1
Level 1

‎02-05-2018 12:04 PM

Hi marcelogalvana,

 

 

you need below command to allow traffic between INSIDE and OUTSIDE_BRANCHES interface, becuase of same security leve

same-security-traffic permit inter-interface

 

 

Then on ASA it really matters that how you applied access-list so please share '' show run access-group''

now let's discuss NAT, if you want to allow internet connection to all the users behind INSIDE interface the you need to configure object NAT to do PAT

object network LAN_Internet

subnet 0.0.0.0 0.0.0.0
nat (INSIDE,OUTSIDE) dynamic interface

 

 

 

 

 

Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
salman abid
Level 1
Level 1

‎02-05-2018 12:04 PM

Hi marcelogalvana,

 

 

you need below command to allow traffic between INSIDE and OUTSIDE_BRANCHES interface, becuase of same security leve

same-security-traffic permit inter-interface

 

 

Then on ASA it really matters that how you applied access-list so please share '' show run access-group''

now let's discuss NAT, if you want to allow internet connection to all the users behind INSIDE interface the you need to configure object NAT to do PAT

object network LAN_Internet

subnet 0.0.0.0 0.0.0.0
nat (INSIDE,OUTSIDE) dynamic interface

 

 

 

 

 

Please remember to select a correct answer and rate helpful posts

0 Helpful

Go to solution
marcelogalvan
Level 1
Level 1
In response to salman abid

‎02-06-2018 08:18 AM

Thanks Salman.

I put the two lines and It works.

Now I try to understand the principles involved in NAT and ACL, in a deeply way.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card