Re: NAT and ASA 5505

KpaH4iTooo · ‎03-26-2010

Hi, I tring to pass from 192.168.202.77 (VLAN1) to web interface 192.168.20.12(VLAN4)

Here is a configuration

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.202.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ***.***.***.*** 255.255.255.248
!
interface Vlan3
 nameif dmz
 security-level 50
 no ip address
!
interface Vlan4
 nameif wi-fi
 security-level 60
 ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

...

access-list inside_access_in extended permit tcp host 192.168.202.77 host 192.168.20.12
access-list wi-fi extended permit tcp host 192.168.20.12 host 192.168.202.77
...
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group wi-fi in interface wi-fi
...
static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255
...

Tell me please, what is the problem?

Jithesh K Joy · ‎03-26-2010

HI,

If you want to access 192.168.20.12 from 192.168.202.77 the static identity NAT can be used instead of the present static NAt config

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.20.12 192.168.20.12 netmask 255.255.255.255

Regards

Joy

Jennifer Halim · ‎03-26-2010

These lines are incorrect statements:

static (inside,wi-fi) 192.168.20.12 192.168.202.77 netmask 255.255.255.255
static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255

Please remove the above statement, and configure the following:

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

Please perform "clear xlate" after configuring the above.

If you are testing by ping, you might want to check if "inspect icmp" has been turned on.

Hope that helps.

Jithesh K Joy · ‎03-29-2010

Hi halijenn,

Destination NAT

static (wi-fi,inside) 192.168.20.12 192.168.20.12 netmask 255.255.255.255 is required to reach 192.168.20.12 ?

Regards

Jithesh

Kureli Sankar · ‎03-29-2010

No. Just this line

static (inside,wi-fi) 192.168.202.77 192.168.202.77 netmask 255.255.255.255

is good enough. This is bi-directional. With this line inside host 192.168.202.77 can initiate connection to anyone in the wi-fi interface and wi-fi can initiate connection to 192.168.202.77 provided the acl applied on the wi-fi interface allows it.

-KS

Lunzhicheng7 · ‎03-29-2010

Hi , there

Firstly, it seems such configuration “static (wi-fi,inside) 192.168.202.77 192.168.20.12 netmask 255.255.255.255” is unnecessary.

Secondly, you need to add an access-list permit the traffic which destination direct to your Nated address 192.168.20.12

For example : ” access-list out permit tcp any host 192.168.20.12”

I hope my suggestion is helpful

Regards

Fox Mulder

KpaH4iTooo · ‎03-30-2010

Hi,

Thank you all for answers!!!