cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
670
Views
0
Helpful
4
Replies

ASA 8.2 ,NAT

purva.kate
Level 1
Level 1

Hi All.Need assisstance on this issue.I am working on ASA 8.2. We have a public block for customer 199.199.199.0/24 pointed to ASA .

Now customer wants access from 199.199.199.21 to 199.199.199.15 . He is coming from private ip address 10.1.100.58 trying to access public ip address 199.199.199.15.But its not working. Subnet 199.199.199.0/24 is NATed and on ASA its learned via default i.e OUTSIDE .Customer cannot access the public ip address 199.199.199.15 ,as he is coming from 10.1.100.58 then NATed to 199.199.199.21 .So its like,he is coming on Outside interface and going to Outside interface. This setup is not working.

 

Below is the rough setup:

C    10.1.100.0 255.255.255.0 is directly connected, inside
C    10.1.200.0 255.255.252.0 is directly connected, dmz

 

static (inside,outside) 199.199.199.21 10.1.100.58 netmask 255.255.255.255 
static (dmz,outside) 199.199.199.15 10.1.200.15 netmask 255.255.255.255 

 

nat (inside) 0 access-list nat_exempt
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (VPN-zone) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

 

access-list nat_exempt extended permit ip any host 199.199.199.15 log 

 

 

4 Replies 4

Lajja1234
Level 1
Level 1

Hi!

In ASDM you can use Packet Tracer to check where the packet gets stuck. 

I always use that feature to check any problems when I am not sure what to do. 

/Lajja1234

Thankyou Lajja

nkarthikeyan
Level 7
Level 7

Hi,

If you access from Inside to DMZ..... He can be able to do that using its private ip address....

say he can access from 10.1.100.58 to 10.1.200.15.....

for this we need to have a no-nat rule between these private ip's

access-list no-nat permit ip host 10.1.100.58 host 10.1.200.15

nat (inside) 0 access-list no-nat

 

Also you need to allow it in the access-list which you put for outbound traffic... i.e. on the inside interface binded acl...

 

Other option is to do DNS doctoring.....

Regards

Karthik

 

 

 

Thankyou nkarthikeyan

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: