Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1747
Views
0
Helpful
9
Replies

NAT outside to inside denying Internet access

Go to solution
Tyler Woods
Level 1
Level 1

‎01-17-2014 04:14 PM - edited ‎03-07-2019 05:38 PM

I'm at a lost why the following is not working. I have inherited this environment and have very little experience with this. Have gotten most things working so far. All the 206.a.b.X address in the outside-access ACL were setup prior to me and work. The new network 172.26.11.x was setup by me and so far I have gotten that and the 10.16.11.x networks up and running for internatl access as needed and Internet access. The next step is to grant access from the outside using an external IP address to the internet IP address. I tried following the convention used for the other items yet these don't work. When I have them in place the host at the 172.26.11.10 and 77 address lose all Internet access instead. What am I doing wrong?

static (12dmz,outside) 205.a.b.11 172.26.11.10 netmask 255.255.255.255

static (12dmz,outside) 205.a.b.77 172.26.11.77 netmask 255.255.255.255

Here is the complete config sanatized:

ASA Version 8.2(3)

!

names

dns-guard

!

interface Ethernet0/0

description Internet

nameif outside

security-level 0

ip address 97.x.y.226 255.255.255.248 standby 97.x.y.227

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.11

vlan 11

nameif 12inside

security-level 50

ip address 10.16.11.1 255.255.255.0 standby 10.16.11.4

!

interface Ethernet0/1.98

vlan 98

nameif vlan98

security-level 50

ip address 10.64.98.1 255.255.255.0 standby 10.64.98.4

!

interface Ethernet0/1.111

vlan 111

nameif 12dmz

security-level 20

ip address 172.26.11.1 255.255.255.0 standby 172.26.11.4

!

interface Ethernet0/1.192

vlan 192

nameif vlan192

security-level 50

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.4

!

interface Ethernet0/2

nameif vlan205

security-level 50

ip address 10.64.96.1 255.255.255.0 standby 10.64.96.4

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

boot system disk0:/asa823-k8.bin

ftp mode passive

dns domain-lookup vlan98

dns domain-lookup vlan192

dns domain-lookup vlan205

dns server-group DefaultDNS

name-server 10.64.97.15

name-server 10.64.97.14

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network 34-ACTUAL

network-object 10.64.96.0 255.255.255.0

network-object 10.64.98.0 255.255.255.0

network-object 10.64.97.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

object-group network 567-ACTUAL

network-object 10.6.57.0 255.255.255.0

network-object 10.6.48.0 255.255.255.0

network-object 10.6.51.0 255.255.255.0

network-object 172.29.15.0 255.255.255.0

network-object 172.29.14.0 255.255.255.0

network-object 10.6.245.0 255.255.255.0

network-object 10.6.26.0 255.255.255.0

network-object 10.6.252.0 255.255.255.0

network-object 10.6.7.0 255.255.255.0

network-object 172.29.10.0 255.255.255.0

network-object 172.29.21.0 255.255.255.0

network-object 172.29.6.0 255.255.255.0

network-object 10.6.5.0 255.255.255.0

network-object 10.6.6.0 255.255.255.0

network-object 10.6.1.0 255.255.255.0

network-object 10.6.16.0 255.255.255.0

network-object 10.6.4.0 255.255.255.0

network-object 10.6.31.0 255.255.255.0

network-object 10.6.11.0 255.255.255.0

network-object 10.6.21.0 255.255.255.0

network-object 10.6.33.0 255.255.255.0

object-group network 34OFFICE-ACTUAL

network-object 10.64.99.0 255.255.255.0

network-object 192.168.199.0 255.255.255.0

object-group network pub_net

network-object host 206.a.b.100

network-object host 206.a.b.101

network-object host 206.a.b.103

network-object host 206.a.b.104

network-object host 206.a.b.105

network-object host 206.a.b.106

network-object host 206.a.b.107

network-object host 206.a.b.108

network-object host 206.a.b.109

network-object host 206.a.b.110

network-object host 206.a.b.111

network-object host 206.a.b.112

network-object host 206.a.b.116

network-object host 206.a.b.114

network-object host 206.a.b.117

network-object host 206.a.b.118

network-object host 206.a.b.119

network-object host 206.a.b.120

network-object host 206.a.b.121

network-object host 206.a.b.122

network-object host 206.a.b.123

network-object host 206.a.b.124

network-object host 206.a.b.113

network-object host 206.a.b.102

network-object host 205.a.b.11

network-object host 205.a.b.77

object-group service ports_108 tcp-udp

port-object eq www

port-object eq 443

port-object eq 2121

port-object eq 21

port-object eq 20

port-object eq 25

port-object range 49000 51000

port-object eq domain

port-object eq 9102

port-object eq 9103

port-object eq 9104

object-group service ports_109 tcp-udp

port-object eq www

port-object eq 443

port-object eq 84

port-object eq 22

port-object eq 447

port-object eq 446

port-object eq 83

port-object eq 442

port-object eq domain

port-object eq 9102

port-object eq 9103

port-object eq 9104

object-group network DR-ACTUAL

network-object 192.168.254.0 255.255.255.0

network-object 10.6.248.0 255.255.255.0

network-object 10.6.151.0 255.255.255.0

network-object 172.29.215.0 255.255.255.0

network-object 172.29.214.0 255.255.255.0

network-object 172.29.206.0 255.255.255.0

network-object 10.6.205.0 255.255.255.0

network-object 10.6.250.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group network 12-PROD

network-object 10.16.11.0 255.255.255.0

object-group network 12-DMZ

network-object host 205.a.b.77

network-object host 205.a.b.11

access-list outside-access extended permit ip any any

access-list outside-access extended permit tcp any object-group pub_net eq www

access-list outside-access extended permit tcp any object-group pub_net eq https

access-list outside-access extended permit tcp any host 206.a.b.100 eq smtp

access-list outside-access extended permit tcp any host 206.a.b.100 eq domain

access-list outside-access extended permit tcp any host 206.a.b.101 eq domain

access-list outside-access extended permit tcp any host 206.a.b.108 object-group ports_108

access-list outside-access extended permit tcp any host 206.a.b.116 object-group ports_109

access-list outside-access extended permit tcp any host 206.a.b.109 object-group ports_108

access-list outside-access extended permit tcp any host 206.a.b.110 object-group ports_108

access-list outside-access extended permit tcp any host 206.a.b.111 eq smtp

access-list outside-access extended permit tcp any host 206.a.b.108 eq ftp-data

access-list outside-access extended permit tcp any host 206.a.b.110 eq ftp-data

access-list outside-access extended permit tcp any host 206.a.b.116 eq ftp-data

access-list outside-access extended permit tcp any host 206.a.b.109 eq ftp-data

access-list outside-access extended permit tcp any host 206.a.b.124 object-group ports_108

access-list outside-access extended permit tcp any host 206.a.b.124 object-group ports_109

access-list outside-access extended permit tcp any host 206.a.b.117 eq ssh

access-list outside-access extended permit tcp any host 206.a.b.113 object-group ports_108

access-list outside-access extended permit tcp any host 206.a.b.113 object-group ports_109

access-list outside-access extended permit tcp any host 206.a.b.102 eq ftp-data

access-list outside-access remark Demo web server configured 3/18/2013

access-list outside-access extended permit tcp any host 206.a.b.125 object-group DM_INLINE_TCP_1

access-list 34prod-567 extended permit ip object-group 34-ACTUAL object-group 567-ACTUAL

access-list 34prod-567 extended permit ip host 97.x.y.226 host 10.6.245.6

access-list 34prod-567 extended permit ip object-group 12-PROD object-group 567-ACTUAL

access-list 34prod-567 extended permit ip object-group 12-PROD 10.50.2.0 255.255.255.0

access-list nonat-intervlan extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat-intervlan extended permit ip 10.64.96.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat-intervlan extended permit ip 10.64.97.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat-intervlan extended permit ip 10.64.98.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat-intervlan extended permit ip object-group 34-ACTUAL object-group 34-ACTUAL

access-list nonat-intervlan extended permit ip 10.64.98.0 255.255.255.0 object-group 567-ACTUAL

access-list nonat-intervlan extended permit ip 10.64.97.0 255.255.255.0 object-group 567-ACTUAL

access-list nonat-intervlan extended permit ip 10.64.96.0 255.255.255.0 object-group 567-ACTUAL

access-list nonat-intervlan extended permit ip object-group 34-ACTUAL object-group 567-ACTUAL

access-list nonat-intervlan extended permit ip object-group 34-ACTUAL object-group 34OFFICE-ACTUAL

access-list nonat-intervlan extended permit ip object-group 34-ACTUAL object-group DR-ACTUAL

access-list nonat-intervlan extended permit ip object-group 12-PROD object-group 567-ACTUAL

access-list nonat-intervlan extended permit ip object-group 12-PROD 10.50.2.0 255.255.255.0

access-list icmp extended permit icmp any any

access-list vlan98-outbound extended permit ip 10.64.98.0 255.255.255.0 any

access-list vlan98-outbound extended permit ip 10.64.98.0 255.255.255.0 object-group 567-ACTUAL

access-list vlan205-outbound extended permit ip 10.64.96.0 255.255.255.0 any

access-list vlan205-outbound extended permit ip 10.64.96.0 255.255.255.0 object-group 567-ACTUAL

access-list test extended permit ip 10.64.96.0 255.255.255.0 10.64.97.0 255.255.255.0

access-list test extended permit ip 10.64.97.0 255.255.255.0 10.64.96.0 255.255.255.0

access-list 34prod-34office extended permit ip object-group 34-ACTUAL object-group 34OFFICE-ACTUAL

access-list 34prodvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list 34prodvpn_splitTunnelAcl standard permit 10.64.96.0 255.255.255.0

access-list 34prodvpn_splitTunnelAcl standard permit 10.64.98.0 255.255.255.0

access-list 34prodvpn_splitTunnelAcl standard permit 10.64.97.0 255.255.255.0

access-list 34prodvpn_splitTunnelAcl standard permit 192.168.199.0 255.255.255.0

access-list policy1 extended permit tcp host 10.64.96.5 any eq smtp

access-list policy2 extended permit tcp host 10.64.96.5 any

access-list policy2 extended permit udp host 10.64.96.5 any

access-list 34-dr extended permit ip object-group 34-ACTUAL object-group DR-ACTUAL

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu vlan98 1500

mtu vlan192 1500

mtu vlan205 1500

mtu 12inside 1500

mtu 12dmz 1500

ip local pool 34prodvpn 192.168.200.1-192.168.200.25 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface FC Ethernet0/3

failover key *****

failover link FC Ethernet0/3

failover interface ip FC 10.10.10.10 255.255.255.0 standby 10.10.10.20

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

34obal (outside) 1 interface

34obal (outside) 5 206.a.b.111

nat (vlan98) 0 access-list nonat-intervlan

nat (vlan98) 1 0.0.0.0 0.0.0.0

nat (vlan192) 0 access-list nonat-intervlan

nat (vlan192) 1 0.0.0.0 0.0.0.0

nat (vlan205) 0 access-list nonat-intervlan

nat (vlan205) 5 access-list policy1

nat (vlan205) 1 access-list policy2

nat (vlan205) 1 0.0.0.0 0.0.0.0

nat (12inside) 0 access-list nonat-intervlan

nat (12inside) 1 0.0.0.0 0.0.0.0

nat (12dmz) 1 0.0.0.0 0.0.0.0

static (vlan205,outside) tcp 206.a.b.111 smtp 10.64.96.111 smtp netmask 255.255.255.255

static (vlan205,outside) 206.a.b.100 10.64.96.100 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.101 10.64.96.101 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.103 10.64.96.103 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.104 10.64.96.104 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.105 10.64.96.105 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.106 10.64.96.106 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.107 10.64.96.107 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.108 10.64.96.108 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.109 10.64.96.109 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.110 10.64.96.110 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.112 10.64.96.112 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.116 10.64.96.116 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.114 10.64.96.114 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.117 10.64.96.117 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.118 10.64.96.118 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.119 10.64.96.119 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.120 10.64.96.120 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.121 10.64.96.121 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.122 10.64.96.122 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.123 10.64.96.123 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.124 10.64.96.115 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.113 10.64.96.113 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.102 10.64.96.102 netmask 255.255.255.255

static (vlan205,outside) 206.a.b.125 10.64.96.125 netmask 255.255.255.255

static (12dmz,outside) 205.a.b.11 172.26.11.10 netmask 255.255.255.255

static (12dmz,outside) 205.a.b.77 172.26.11.77 netmask 255.255.255.255

access-group outside-access in interface outside

route outside 0.0.0.0 0.0.0.0 97.x.y.225 1

route vlan205 10.64.97.0 255.255.255.0 10.64.96.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 vlan98

snmp-server host vlan205 10.64.97.162 community ***** version 2c

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

sysopt connection tcpmss 1300

sysopt connection preserve-vpn-flows

service resetoutside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set esp-aes-sha esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_dynmap 10 match address 34prod-567

crypto map outside_dynmap 10 set peer 208.a.b.c

crypto map outside_dynmap 10 set transform-set ESP-3DES-MD5

crypto map outside_dynmap 10 set security-association lifetime seconds 28800

crypto map outside_dynmap 10 set security-association lifetime kilobytes 4608000

crypto map outside_dynmap 20 match address 34prod-34office

crypto map outside_dynmap 20 set peer 66.a.b.c

crypto map outside_dynmap 20 set transform-set ESP-3DES-MD5

crypto map outside_dynmap 20 set security-association lifetime seconds 28800

crypto map outside_dynmap 20 set security-association lifetime kilobytes 4608000

crypto map outside_dynmap 25 match address 34-dr

crypto map outside_dynmap 25 set peer 97.a.b.c

crypto map outside_dynmap 25 set transform-set ESP-3DES-MD5

crypto map outside_dynmap 25 set security-association lifetime seconds 2147483640

crypto map outside_dynmap 25 set security-association lifetime kilobytes 2147483646

crypto map outside_dynmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_dynmap interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 11

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 13

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 21

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 vlan98

ssh timeout 5

console timeout 0

management-access vlan98

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0185-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 10.64.97.15 10.64.97.14

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value

webvpn

  hidden-shares visible

group-policy 34prodvpn internal

group-policy 34prodvpn attributes

dns-server value 10.64.97.15 10.64.97.14

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 34prodvpn_splitTunnelAcl

split-dns value

group-policy 34PRODVPN internal

group-policy 34PRODVPN attributes

dns-server value 10.64.97.15 10.64.97.14

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 34prodvpn_splitTunnelAcl

default-domain value

split-dns value 

webvpn

  svc keep-installer installed

  svc ask none default svc

tunnel-group 208.a.b.c type ipsec-l2l

tunnel-group 208.a.b.c ipsec-attributes

pre-shared-key *****

tunnel-group 66.a.b.c type ipsec-l2l

tunnel-group 66.a.b.c ipsec-attributes

pre-shared-key *****

tunnel-group 34PRODVPN type remote-access

tunnel-group 34PRODVPN general-attributes

address-pool 34prodvpn

default-group-policy 34PRODVPN

tunnel-group 34PRODVPN webvpn-attributes

group-alias 34PRODVPN enable

tunnel-group 34prodvpn type remote-access

tunnel-group 34prodvpn general-attributes

address-pool 34prodvpn

default-group-policy 34prodvpn

tunnel-group 34prodvpn ipsec-attributes

pre-shared-key *****

tunnel-group 97.a.b.c type ipsec-l2l

tunnel-group 97.a.b.c ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map 34obal_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect ip-options

  inspect ftp

  inspect icmp

!

service-policy 34obal_policy 34obal

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d89a99201fd554125eb7225e3de32994

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-17-2014 05:07 PM

Tyler

The existing static NATs are using 206.x.x.x addressing whereas your new static NATs are using 205.x.x.x.

Are you sure this IP address block is being routed to the outside interface of your ASA by the ISP ?

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-17-2014 05:07 PM

Tyler

The existing static NATs are using 206.x.x.x addressing whereas your new static NATs are using 205.x.x.x.

Are you sure this IP address block is being routed to the outside interface of your ASA by the ISP ?

Jon

0 Helpful

Go to solution
Tyler Woods
Level 1
Level 1
In response to Jon Marshall

‎01-17-2014 05:11 PM

I have put an email into my ISP to verify. As far as I can tell on the router they should be. I have a route in place for the 205.x.x.x network to route to the ASA just like the 206.x.x.x network. Even if they are not currently would that cause the system to lose Internet access? Based on the NAT I figured this was just for inbound access mapping the external IP to the internal.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Tyler Woods

‎01-17-2014 05:15 PM

Tyler

Even if they are not currently would that cause the system to lose Internet access? Based on the NAT I figured this was just for inbound access mapping the external IP to the internal.

The issue is that static NAT statements are two way ie. traffic initiated from the outside to dmz12 and traffic initiated from those devices in dmz12 to the outside. And static NAT takes precedence over dynamic NAT so as soon as you entered those commands the 172.16.11.x devices with static NAT entries will now be translated to 206.x.x.x addresses when they go out to the internet.

Jon

0 Helpful

Go to solution
Tyler Woods
Level 1
Level 1
In response to Jon Marshall

‎01-17-2014 05:27 PM

Ah, did not realize they are two way. When you say "will now be translated to the 206.x.x.x addresses" you do mean the 205.x.x.x addresses though correct? I only ask because there is a global set for 206.x.x.x and was hoping the static I placed would supercede that based on what I am seeing.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Tyler Woods

‎01-17-2014 05:35 PM

Tyler

When you say "will now be translated to the 206.x.x.x addresses" you do mean the 205.x.x.x addresses though correct?

No, i meant these statements -

static (12dmz,outside) 205.a.b.11 172.26.11.10 netmask 255.255.255.255

static (12dmz,outside) 205.a.b.77 172.26.11.77 netmask 255.255.255.255

ie. 172.16.11.10 when it goes to internet will now be translated to 205.a.b.11 and the same for 172.26.11.77 to it;s 205.a.b.77 address.

I only ask because there is a global set for 206.x.x.x and was hoping the static I placed would supercede that based on what I am seeing.

Not sure i follow ?

Jon

0 Helpful

Go to solution
Tyler Woods
Level 1
Level 1
In response to Jon Marshall

‎01-17-2014 05:37 PM

Jon,

You said this in your previous reply:

And static NAT takes precedence over dynamic NAT so as soon as you  entered those commands the 172.16.11.x devices with static NAT entries  will now be translated to 206.x.x.x addresses when they go out to the  internet.

Was just confused by you saying the 206.x.x.x addresses. You latest reply clears things up. Will verify with my ISP.

Tyler

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Tyler Woods

‎01-17-2014 05:40 PM

Tyler

Apologies, that was a typo. As if it wasn't confusing enough 

Jon

0 Helpful

Go to solution
Tyler Woods
Level 1
Level 1
In response to Jon Marshall

‎01-17-2014 05:42 PM

Jon,

No worries. Thank you for the assist. Will check with the ISP and once verify working mark a Correct Answer on this thread.

Tyler

0 Helpful

Go to solution
Tyler Woods
Level 1
Level 1
In response to Tyler Woods

‎01-19-2014 01:45 AM

Jon,

You were correct, the IP range was being filtered by my ISP. Currently this is working on their network but needs to be entered elsewhere for propagation. Thank you for your assistance Jon.

Tyler

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card