02-03-2014 04:10 AM - edited 03-11-2019 08:39 PM
Hi All,
I have the following configured on my ASA, I've only put in what's relevant. There's not really much else on it anyways.
At the moment I believe all traffic is being NAT'd on the 192.168.127.x and 192.168.128.x /24 networks when going outside
I want to however allow the subnets above in bold to access the inside network of 172.27.100.0 /22 (off of Gi0/1), and basically not have the ASA try to NAT this.
What do I need to add?
Thanks
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.127
vlan 127
nameif Vlan127
security-level 50
ip address 192.168.127.1 255.255.255.0
!
interface GigabitEthernet0/0.128
vlan 128
nameif Vlan128
security-level 50
ip address 192.168.128.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.27.100.160 255.255.252.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address Public IP 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.44.240.190 255.255.255.0
management-only
!
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.44.241.50
name-server 10.44.241.51
domain-name Test.com
same-security-traffic permit inter-interface
object-group network DynamicNatInside
network-object 192.168.127.0 255.255.255.0
network-object 192.168.128.0 255.255.255.0
access-list Inside_To_Out extended permit ip object-group DynamicNatInside any
pager lines 24
logging asdm informational
mtu Vlan127 1500
mtu Vlan128 1500
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
!
nat (any,outside) after-auto source dynamic DynamicNatInside interface
access-group Inside_To_Out out interface outside
route outside 0.0.0.0 0.0.0.0 “PUBLIC IP”
route inside 172.16.0.0 255.240.0.0 172.27.100.10
Solved! Go to Solution.
02-04-2014 07:49 AM
Hi Grant,
Try to configure following command and then check whether it works or not:
fixup protocol icmp
Hope this would help
- Prateek Verma
02-04-2014 07:51 AM
Hi,
Already suggested checking the "inspect" configurations under the "policy-map" configurations.
- Jouni
02-04-2014 07:54 AM
Hi Jouni,
My mistake didn't noticed that .
- Prateek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide