cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA - NO NAT - Ver 8.6

GRANT3779
Frequent Contributor
Frequent Contributor

Hi All,

I have the following configured on my ASA, I've only put in what's relevant. There's not really much else on it anyways.

At the moment I believe all traffic is being NAT'd on the 192.168.127.x and 192.168.128.x /24 networks when going outside

I want to however allow the subnets above in bold  to access the inside network of 172.27.100.0 /22 (off of Gi0/1), and basically not have the ASA try to NAT this.

What do I need to add?

Thanks

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.127

vlan 127

nameif Vlan127

security-level 50

ip address 192.168.127.1 255.255.255.0

!

interface GigabitEthernet0/0.128

vlan 128

nameif Vlan128

security-level 50

ip address 192.168.128.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.27.100.160 255.255.252.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif outside

security-level 0

ip address Public IP 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 10.44.240.190 255.255.255.0

management-only

!

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.44.241.50

name-server 10.44.241.51

domain-name Test.com
same-security-traffic permit inter-interface

object-group network DynamicNatInside

network-object 192.168.127.0 255.255.255.0

network-object 192.168.128.0 255.255.255.0

access-list Inside_To_Out extended permit ip object-group DynamicNatInside any

pager lines 24

logging asdm informational

mtu Vlan127 1500

mtu Vlan128 1500

mtu inside 1500

mtu outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

!

nat (any,outside) after-auto source dynamic DynamicNatInside interface

access-group Inside_To_Out out interface outside

route outside 0.0.0.0 0.0.0.0 “PUBLIC IP”
route inside 172.16.0.0 255.240.0.0 172.27.100.10

17 REPLIES 17

Hi Grant,

Try to configure following command and then check whether it works or not:

fixup protocol icmp

Hope this would help

- Prateek Verma

Hi,

Already suggested checking the "inspect" configurations under the "policy-map" configurations.

- Jouni

Hi Jouni,

My mistake didn't noticed that .

- Prateek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: