06-01-2011 01:42 AM - edited 03-11-2019 01:40 PM
Hi
I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
Soooooooooo
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a No translation group found error!!
I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
Any help please?
Thanks
Kev
06-01-2011 06:37 AM
Hi Kev,
If I understand your requirements correctly, you need the following:
1. Dynamic PAT to allow LAN hosts to get to the Internet (translate internal IPs to the outside interface IP)
2. Static NAT to allow the Exchange server on the WAN to talk to your Exchange server on the LAN
Is that correct?
If so, you should setup something like this:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside)netmask 255.255.255.255
The first 2 statements will take care of requirement number 1. The static statement will take care of requirement number 2 and will be used to translate your LAN Exchange server to a public IP on the WAN that the WAN Exchange server can talk to (so,
You'll also need to make sure the inbound access-list on your outside interface allows the WAN Exchange server to talk to the LAN Exchange server's public IP on the appropriate ports.
Hope that helps.
-Mike
06-01-2011 06:49 AM
Hi Mike
Thanks for the reply, half right
Yes the inside users do need access to the internet which they do have, but it's the https accces to both exchange servers from the internet needed.
Server1 is local lan where the ASA is
Server2 is on a remote a site
The problem is we have a default route for 0.0.0.0 going to another site with internet access, so server2 is sending it's replys to that other site. I put a blanket nat everything coming from the internet to inside interface ip address and we have access to server2................. however it went t1ts up on the local lan which is why I got the above error message.
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp server1_EXT server1-INT netmask 255.255.255.255
static (inside,outside) tcp server2_EXT server2-INT netmask 255.255.255.255
I need to nat any global ip address to a inside address going to any 192.168.0.0/16 & 172.16.0.0/16 but not 172.17.0.0/16
what do you think?
06-01-2011 08:06 AM
Hi
Ok, a mate (scott) sorted it for me, he isn't on here so I can't give the rating, but this sorted it.
I was trying to map many to 1 real addresses to 1 mapped address with static NAT
access-list SOURCENAT permit ip 0.0.0.0 0.0.0.0 192.168.9.245 255.255.255.255
nat (outside) 2 access-list SOURCENAT
global (inside) 2 173.17.2.4
cheers kev
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide