02-05-2018 10:23 AM - edited 02-21-2020 07:17 AM
I normally configure my Cisco Routers without any problem. But for now, I have problem to migrate 1 ISR 2921 configuration to ASA 5508-X.
I have problems with:
- dynamic PAT
- static PAT
- inter-interface flow traffic and more, much more.
I saw and try various configuration examples, and sometimes it works and sometimes not. Can someone help me to understand the differences between IOS routers and ASA config?
Here are my problems:
1. users on network 10.20.10.0/24 (connected to OUTSIDE_BRANCHES) can't reach PCs on network 10.10.10.0/24 (INSIDE)
interface GigabitEthernet0/1.100 vlan 100 nameif INSIDE security-level 100 ip address 10.10.10.10 255.255.255.0
interface GigabitEthernet0/2.199 vlan 199 nameif OUTSIDE security-level 0 ip address 190.1.1.1 255.255.255.252
interface GigabitEthernet0/2.200
vlan 200
nameif OUTSIDE_BRANCHES
security-level 100
ip address 10.20.20.20 255.255.255.0
access-list INSIDE_in permit extended ip any any
access-list OUTSIDE_BRANCHES_in permit extended ip any any
nat(inside,outside) after-auto source dynamic
route 10.20.10.0 255.255.255.0 10.10.10.9
Solved! Go to Solution.
02-05-2018 12:04 PM
Hi marcelogalvana,
you need below command to allow traffic between INSIDE and OUTSIDE_BRANCHES interface, becuase of same security leve
same-security-traffic permit inter-interface
Then on ASA it really matters that how you applied access-list so please share '' show run access-group''
now let's discuss NAT, if you want to allow internet connection to all the users behind INSIDE interface the you need to configure object NAT to do PAT
object network LAN_Internet
subnet 0.0.0.0 0.0.0.0
nat (INSIDE,OUTSIDE) dynamic interface
Please remember to select a correct answer and rate helpful posts
02-05-2018 12:04 PM
Hi marcelogalvana,
you need below command to allow traffic between INSIDE and OUTSIDE_BRANCHES interface, becuase of same security leve
same-security-traffic permit inter-interface
Then on ASA it really matters that how you applied access-list so please share '' show run access-group''
now let's discuss NAT, if you want to allow internet connection to all the users behind INSIDE interface the you need to configure object NAT to do PAT
object network LAN_Internet
subnet 0.0.0.0 0.0.0.0
nat (INSIDE,OUTSIDE) dynamic interface
Please remember to select a correct answer and rate helpful posts
02-06-2018 08:18 AM
Thanks Salman.
I put the two lines and It works.
Now I try to understand the principles involved in NAT and ACL, in a deeply way.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide