08-16-2011 08:29 AM - edited 03-11-2019 02:12 PM
Hello,
my question may sound stupid, but please explain to me the following behavior.
CISCO ASA 5505
Interfaces:
OUTSIDE - 194.50.90.221 255.255.255.0 / security level 0
DMZ - 192.168.12.254 255.255.255.0 / security level 25
INSIDE - 192.168.0.6 255.255.255.0 / security level 50
Now, if I want to ping from the DMZ to INSIDE, I get an error message "no translation group found for icmp src DMZ: ...... dst: INSIDE...."
I fixed is by adding "NAT 0" onto the INSIDE interface so that packets originating from "INSIDE" that are destined for "DMZ" do not get NAT'd.
Now my question is, becasue these are all directly connected networks, how come the firewall does not route the packets, but tries to NAT them instead... ???
Solved! Go to Solution.
08-16-2011 10:45 AM
Hi Peter,
Kindly go through the doc, if you have qany queries, feel free to drop in:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html
-Varun
08-16-2011 08:39 AM
Hi Peter,
You would need the nat command only if you have nat-control enabled on the ASA, if it is no nat-control, you would just need an access-list to go from your dmz to inside.
You can check this by:
show run nat-control
It will tell you whether it is enabled or not.
Hope this helps.
Thanks,
Varun
08-16-2011 08:41 AM
A firewall is a security device. It's role is to separate trusted and untrusted networks. Part of that separation is controlled by the security level. You can't go from a less secure network to a more secure network without you specifically granting access (both NAT and ACL).
08-16-2011 09:54 AM
Thanks guys, makes sense now
This was just one of the thinks I wanted to have clarified
yes it is a firewall and not a router
By the way, I am still a bit confused, because I tried to run the "show run nat-control" and it shows "no nat-control"...
Yes I previously added access-lists to allow ICMP traffic flowing from lower sec level to higher sec level, but wont work without having NAT 0 specified in INSIDE interface...
But yeah, makes sense that because this is a firewall and no router, by default, It's supposed to provide the least-permissive conditions for traffic to flow through its interfaces...
08-16-2011 10:45 AM
Hi Peter,
Kindly go through the doc, if you have qany queries, feel free to drop in:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html
-Varun
08-17-2011 01:48 AM
Thanks all again, I have read the last article, makes sense, cheers
08-17-2011 02:03 AM
Sure Peter , you can mark the thread as answered if your queries are resolved.
-Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide