Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1148
Views
0
Helpful
7
Replies

nating problem

Go to solution
learnsec
Level 1
Level 1

‎08-24-2011 12:22 AM - edited ‎03-11-2019 02:16 PM

dear all,

problem: node A(located inside)- having ASA as a gateway- cannot reach ntp server(located inside)

this is the scenario:

node A located in the Inside Zone.

NTP Server(router) Also Located in the inside Zone.

on node A i have (for certain reason) i had to change its gateway and set it to be the ASA. and i cannot add a static route on node A. once this done node A Cannot reach anymore NTP Server.

although if i Ping NTP Server ip address(inside ip) from the ASA itself the reply is successfull.

node C located on DMZ and node D Located on Outside zone on the same ASA can successfull synchronyze with the ntp Server(with natted ip address)

can you explain more how to troublshoot this issue in order to let node A ping NTP Server in order to synchronize time?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10
In response to learnsec

‎09-06-2011 05:34 AM

Hi,

The statement :

static (inside,inside) 10.150.1.1 10.150.1.1 norand nailed

is specific only to 10.150.1.1 server only, so it should not hamper any other traffic. If you have any other questions do let me know.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
7 Replies 7

Go to solution
varrao
Level 10
Level 10

‎08-24-2011 12:26 AM

You are trying to u-turn the traffic on the ASA interface, which means traffic coming from inside needs to turned back (if ASA is teh default gateway), so you would need the following statement for it:

lets say node A network is 10.1.1.0

and ntp server real ip is 10.150.1.1

so you would need:

static (inside,inside) 10.150.1.1 10.150.1.1norand nailed

nat (inside) 5 10.1.1.0

global (inside) 5 interface

same-security-traffic permit intra-interface

and it shoudl work after this. Let me know if you have any issues.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
learnsec
Level 1
Level 1
In response to varrao

‎09-06-2011 04:51 AM

hello varun,

i think even if ASA can reach (though ping) the NTP Server and the Node A network,

but also i have to add a static (inside, inside).

but shall i ahve to add

nat (inside)

global (inside)

or enough to add the static?

finally what do you mean by :

"same-security-traffic permit intra-interface"?

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to learnsec

‎09-06-2011 04:59 AM

Hi,

Yes yu would need the nat and global statement as well.

The same security command would permit traffic whose source and destination is behind the same interface and it is a very important command in case of u-turning the traffic.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
learnsec
Level 1
Level 1
In response to varrao

‎09-06-2011 05:16 AM

can i permit specific traffic to communicate between source and destination that is behind a certain defined interfaces?

for example inside?

to avid any side effects that may occurs

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to learnsec

‎09-06-2011 05:34 AM

Hi,

The statement :

static (inside,inside) 10.150.1.1 10.150.1.1 norand nailed

is specific only to 10.150.1.1 server only, so it should not hamper any other traffic. If you have any other questions do let me know.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
learnsec
Level 1
Level 1
In response to varrao

‎09-07-2011 05:34 AM

Norand nailed is what for?

Thanks,

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to learnsec

‎09-07-2011 05:40 AM

Hi,

Here's the explanation:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/s8.html#wp1512466

Did it solve the issue?

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card