Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
4
Replies

NAT 9.1

infra.admin1
Level 1
Level 1

‎04-16-2015 12:46 AM - edited ‎03-11-2019 10:46 PM

Hi All,

 

I have asa 5525 version 9.1(2)

i want to allow the traffice from outsid to inside and inside to outside. Also attached a diagram.

Thanks

 

Labels:
Preview file
37 KB
0 Helpful
4 Replies 4

shrising
Level 1
Level 1

‎04-16-2015 06:42 AM

Hi Admin,

Configure a static NAT on the ASA, as you require bi-directional traffic flow.

Static NAT configuration example:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1106703

Hope this helps.

Regards,

Shrinkhala

0 Helpful

Andre Neethling
Level 4
Level 4

‎04-16-2015 10:31 AM

Hi. What traffic do you want to allow in, and what do you want to allow in.

Remember that traffic from a higher security level interface to a lower security level interface.  This traffic will be statefully inspected (except for icmp by default) And the return traffic will be allowed. So this means for outgoing Internet traffic all you need is dynamic PAT ( no ACL) if your outside interface security level is lower than your inside. For traffic coming from outside you need an access rule (ACL). If you need inside servers available on the outside,  you eill need static NAT rules.

0 Helpful

infra.admin1
Level 1
Level 1
In response to Andre Neethling

‎04-16-2015 11:26 PM

Hi Andre,

 

Thanks for the reply and i configure as per below configuration. And i want allow all kind of traffic including ICMP.

 

object network InsideTOoutside

host 11.11.11.2

nat(inside,outside) static 12.12.12.1

 

access-lis 101 permit ip any any

access-group 101 in interface outside

 

ip route 0.0.0.0 12.12.12.2

11.11.11.2----------------------inside server ip

12.12.12.1----------------------firewall outside ip with 29 subnet mask

12.12.12.2-----------------------internet gateway with 29 subnet mask

 

but its not working even from firewall 12.12.12.2 is not pingable.

Thanks

 

0 Helpful

shrising
Level 1
Level 1

‎04-17-2015 01:25 AM

Hi ,

The NAT rule is correct.

You can troubleshoot the following:

-Run a packet tracer to confirm if the firewall is allowing the traffic:

packet-tracer input inside icmp 11.11.11.2 8 0 4.2.2.2 detailed

- Check the arp entry for the gateway on the outside interface

sh arp | inc 12.12.12.2

Confirm the entry is not stale.

clear the ARP entry. Ping the gateway

Check if the firewall learns the ARP entry again.

 (if it does not try changing the cable or check with your ISP).

- You can also test by enabling ICMP inspection: 

ASA(config)# fixup protocol icmp

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card