Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
1
Replies

trouble with removing NAC and letting traffic through

glennselser
Level 1
Level 1

‎12-14-2011 05:26 AM - edited ‎03-11-2019 03:01 PM

All,

I have a simple network setup that at once had a NAT setup on it. I am trying to remove it so the IP from the inside is the same when it goes past the outside interface. It was originally setup with a global NAT and static entries. I removed the NAT and left the static entries. As long as I have the startic entry with it translating it from one subnet to the other the traffic gets through (example: static (inside,outside) 172.16.100.3 172.16.100.66 netmask 255.255.255.255 ). But when I adjust the static statement to reflect the same IP ( static (inside,outside) 172.16.100.66 172.16.100.66 netmask 255.255.255.255 ) the traffic does not get to the router. I have tried removing the static route all togehter and it does not do any good either. I tried using a Identity NAT statement, but that did not seem to work with the static (using the same IP, if I had the statement set to translate like in the first example it worked) or without. Since I am very new to working with Firewalls and I did not set this up I want to run this by some more professional eyes. Below is the entire FW configuration. If you need more information please ask. If you need the router config I can post it, but I really think it is a Firewall problem and it has to do with going between 2 different subnets (inside and outside interfaces). I need to set it up so IP from inside is retained when it goes past the outside interface. Any help would be appreciated

Glenn

-------------------------------------------------------------------

Firewall configuration

ASA Version 7.0(8)

!

hostname Firewall1

enable password iMImA2JOC1SD encrypted

passwd 2KFQnbNIdI. encrypted

names

name 172.16.100.1 PERIM-RTR

dns-guard

!

interface Ethernet0/0

duplex full

nameif outside

security-level 0

ip address 172.16.100.2 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.100.65 255.255.255.224

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

access-list acl_out extended permit ip any any

access-list acl_in extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging monitor notifications

logging buffered debugging

logging trap informational

logging asdm informational

logging host inside 172.16.100.66

logging debug-trace

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp permit any outside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

static (inside,outside) 172.16.100.5 172.16.100.68 netmask 255.255.255.255

static (inside,outside) 172.16.100.6 172.16.100.69 netmask 255.255.255.255

static (inside,outside) 172.16.100.7 172.16.100.70 netmask 255.255.255.255

static (inside,outside) 172.16.100.8 172.16.100.71 netmask 255.255.255.255

static (inside,outside) 172.16.100.9 172.16.100.72 netmask 255.255.255.255

static (inside,outside) 172.16.100.10 172.16.100.73 netmask 255.255.255.255

static (inside,outside) 172.16.100.11 172.16.100.74 netmask 255.255.255.255

static (inside,outside) 172.16.100.12 172.16.100.75 netmask 255.255.255.255

static (inside,outside) 172.16.100.3 172.16.100.66 netmask 255.255.255.255

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

http 172.16.100.70 255.255.255.70 inside

http 172.16.100.66 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎12-19-2011 01:20 PM

Hi Glenn,

What does the output of  'show ip route 172.16.100.66' on the router give you?

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card