04-16-2015 12:46 AM - edited 03-11-2019 10:46 PM
Hi All,
I have asa 5525 version 9.1(2)
i want to allow the traffice from outsid to inside and inside to outside. Also attached a diagram.
Thanks
04-16-2015 06:42 AM
Hi Admin,
Configure a static NAT on the ASA, as you require bi-directional traffic flow.
Static NAT configuration example:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1106703
Hope this helps.
Regards,
Shrinkhala
04-16-2015 10:31 AM
Hi. What traffic do you want to allow in, and what do you want to allow in.
Remember that traffic from a higher security level interface to a lower security level interface. This traffic will be statefully inspected (except for icmp by default) And the return traffic will be allowed. So this means for outgoing Internet traffic all you need is dynamic PAT ( no ACL) if your outside interface security level is lower than your inside. For traffic coming from outside you need an access rule (ACL). If you need inside servers available on the outside, you eill need static NAT rules.
04-16-2015 11:26 PM
Hi Andre,
Thanks for the reply and i configure as per below configuration. And i want allow all kind of traffic including ICMP.
object network InsideTOoutside
host 11.11.11.2
nat(inside,outside) static 12.12.12.1
access-lis 101 permit ip any any
access-group 101 in interface outside
ip route 0.0.0.0 12.12.12.2
11.11.11.2----------------------inside server ip
12.12.12.1----------------------firewall outside ip with 29 subnet mask
12.12.12.2-----------------------internet gateway with 29 subnet mask
but its not working even from firewall 12.12.12.2 is not pingable.
Thanks
04-17-2015 01:25 AM
Hi ,
The NAT rule is correct.
You can troubleshoot the following:
-Run a packet tracer to confirm if the firewall is allowing the traffic:
packet-tracer input inside icmp 11.11.11.2 8 0 4.2.2.2 detailed
- Check the arp entry for the gateway on the outside interface
sh arp | inc 12.12.12.2
Confirm the entry is not stale.
clear the ARP entry. Ping the gateway
Check if the firewall learns the ARP entry again.
- You can also test by enabling ICMP inspection:
ASA(config)# fixup protocol icmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide