12-07-2011 03:33 PM - edited 03-11-2019 03:00 PM
Hello,
I have an ASA 5505 that can ping the printer 192.168.1.1 (connected to outside interface) and the workstation 10.1.1.1 (connected to inside interface). The workstation cannot ping the printer, and I cannot get the NAT to work to save my life. What is the best way to gain connectivity between the PC and the printer? Version 8.2(3). There is another printer and another PC that will need connectivity as well on the same subnets.
Thanks a ton -
Solved! Go to Solution.
12-07-2011 04:24 PM
Hello Martin,
As the printers are on the outside and the PCs on the inside, you just need traffic being source from the inside to the outside.
For this scenario a Dynamic NAT or PAT will do it for you.
Nat (inside) 1 0 0
Global (outside) 1 interface
That is all you need if you want to innitiate connections from a higher security level interface (inside) to a lower security level (outside) on an ASA running 8.2
Please rate helpful posts
Regards,
Julio
12-21-2011 03:20 PM
There are two ways to do this:
Option #1:
no nat-control
access-list external permit icmp any any log
access-group external in interface outside
Option #2:
Nat (inside) 1 0 0
Global (outside) 1 interface
access-list external permit icmp any any log
access-group external in interface outside
by default, traffics initiates from inside interface can traverse the firewall go to go out and come back with the exception of icmp echo-reply
12-21-2011 03:50 PM
Hello Martin,
The nat 0 does not affect this particular case because the destination is not on the 10.0.0.0 /8 subnet.
Are you doing the test just based on the pings?
Because you might need the command: -fixup protocol icmp
All you need is the nat statement I sent you (PAT) and the ACL on the inside interface (just if you have one ) allowing that communication.
Please attach the entire configuration, next step would be to do some captures
Please rate helpful posts
Regards,
Julio
12-07-2011 04:24 PM
Hello Martin,
As the printers are on the outside and the PCs on the inside, you just need traffic being source from the inside to the outside.
For this scenario a Dynamic NAT or PAT will do it for you.
Nat (inside) 1 0 0
Global (outside) 1 interface
That is all you need if you want to innitiate connections from a higher security level interface (inside) to a lower security level (outside) on an ASA running 8.2
Please rate helpful posts
Regards,
Julio
12-21-2011 03:07 PM
Julio,
Thanks for your reply. This looks like it should work for me, but it does not - I hope I am missing something easy. There is a NO_NAT configuration in place, as some of the traffic cannot be natted (vpn traffic). Below is the relevant code, if you have any ideas, thanks a million.
I tried your suggestion NAT (inside) 1 0.0.0.0 0.0.0.0
GLOBAL (outsied) 1 interface
with no luck
I also tried static (inside,outside) 172.29.139.30 10.53.1.58 netmask 255.255.255.255, and those two hosts still cannot communicate.
I am basically trying to let 10.53.1.56 255.255.255.248 and 172.29.139.0 255.255.255.128 communicate.
10.53.1.58 is one of the PCs on the inside, and 172.29.139.30 is one of the printers on the outside.
=================================================================================
interface Vlan1
nameif inside
security-level 100
ip address 10.53.1.57 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 172.29.139.140 255.255.255.128
access-list No_NAT extended permit ip 10.53.1.56 255.255.255.248 10.0.0.0 255.0.0.0
access-list Outside_VPN extended permit ip 10.53.1.56 255.255.255.248 10.0.0.0 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list No_NAT
============================================================================
12-21-2011 03:50 PM
Hello Martin,
The nat 0 does not affect this particular case because the destination is not on the 10.0.0.0 /8 subnet.
Are you doing the test just based on the pings?
Because you might need the command: -fixup protocol icmp
All you need is the nat statement I sent you (PAT) and the ACL on the inside interface (just if you have one ) allowing that communication.
Please attach the entire configuration, next step would be to do some captures
Please rate helpful posts
Regards,
Julio
12-22-2011 01:29 PM
Julio,
Thank you so much - it is working now and I hope to return the favor one day. I was testing with pings, and it looks like fixup protocol icmp did it for me. I know have a much better understanding of NAT PAT as well.
Thanks and Happy Holidyas -
MArtin
12-21-2011 03:20 PM
There are two ways to do this:
Option #1:
no nat-control
access-list external permit icmp any any log
access-group external in interface outside
Option #2:
Nat (inside) 1 0 0
Global (outside) 1 interface
access-list external permit icmp any any log
access-group external in interface outside
by default, traffics initiates from inside interface can traverse the firewall go to go out and come back with the exception of icmp echo-reply
12-22-2011 01:30 PM
Thanks David - it looks like I had multiple issues with fixup protocol icmp an no nat control.
Happy Holidays !
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide