Announcement

Collapse
No announcement yet.

Cisco ASA 5520 Routing on Inside or NONAT problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5520 Routing on Inside or NONAT problem

    Dear Experts,

    I have Cisco ASA 5520 in my network. All of its four interfaces are physically connected with different networks. eth1 = inside(172.16.0.1), eth2 = outside(194.101.x.x), eth3 =mobile_network1(10.0.0.1), eth4= mobile_network2(10.1.1.1).

    I have different routes for interfaces communication like ( inside to outside, inside to mobile_network1 and 2) and routes are working fine .Problem is on inside interface which is connected to a Cisco switch and on that switch other firewalls are connected.
    inside ip is 172.16.0.1 (which is gateway for servers on 172.16.0.x network) . I have been asked If my inside network (172.16.0.x) want to connect with a network (192.168.0.x) then point traffic to (172.16.0.5) which is another router on switch.

    I have enable NATing:-

    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0

    Static (inside,outside) 194.101.x.x 172.16.0.24 netmask 255.255.255.255 (Because I want servers should be accessible from internet)
    static (inside,outside) 194.101.x.x 172.16.0.25 netmask 255.255.255.255 (Because I want servers should be accessible from internet)

    static (outside.inside) 172.16.0.24 194.101.x.x netmask 255.255.255.255 ( If traffic goes out then IP should be static Public)
    static (outside,inside) 172.16.0.25 194.101.x.x netmask 255.255.255.255 ( If traffic goes out then IP should be static Public)

    static (inside, mobile_network1) 172.16.0.x 172.16.0.x netmask 255.255.255.255 (Don’t translate inside IP)
    static (inside, mobile_network2) 172.16.0.x 172.16.0.x netmask 255.255.255.255 (Don’t translate inside IP)

    route mobile_network1 10.0.0.x 255.255.255.0 10.0.0.1(This route traffic from 172.16.0.x with destination 10.0.0.x to interface 10.0.0.1)
    route mobile_network2 10.1.1.x 255.255.255.0 10.1.1.1(This route traffic from 172.16.0.x with destination 10.1.1.x to interface 10.1.1.1)

    route outside 0.0.0.0 0.0.0.0 194.101.135.23

    Inside to mobile_network1 and mobile_network2 working fine. And I can access inside servers from outside with Public IPs. Also when I go on whatismyip.com ,my Public IPs are different which I want.

    Problem is below:-

    I have been asked If my inside network (172.16.0.x) want to connect with a network (192.168.0.x) then point traffic to (172.16.0.5) which is another router on switch

    route inside 192.168.0.0 255.255.255.0 172.16.0.5.

    When I run Packet tracer it verifies route exist, Access list is fine .But it block on NAT nat (inside) 1 0.0.0.0 0.0.0.0.
    I know I have to implement NONAT, but don’t know how,

    When I run static (inside,inside) 172.16.0.0 172.16.0.0 netmask 255.255.255. It gives NAT conflict with Static (inside,outside) 194.101.x.x 172.16.0.24 netmask 255.255.255.255 entries.

    Please help. Thanks
    Last edited by ABasit; 5th November 2010, 08:00.

  • #2
    Re: Cisco ASA 5520 Routing on Inside or NONAT problem

    You can try and create a nat exemption by doing the following:

    1.) create an acl for the network that you don't want to nat + the destination network
    2. then use the following command 'nat 0 (inside) access-list <name_of_access_list>

    Below is an article that can help explain NAT in more detail.

    http://www.cisco.com/en/US/products/...31a.shtml#NEX1

    PS... When ever you are posting a partial config please scrub any publicly routed IP addresses that belong to you. Bad guys watch these types of forums.

    Ryan
    Last edited by ryansmitty; 4th November 2010, 17:31.

    Comment


    • #3
      Re: Cisco ASA 5520 Routing on Inside or NONAT problem

      Hi Ryan,

      Public IPs are fake, i have replaced them with x.x.

      Thanks.

      Comment


      • #4
        Re: Cisco ASA 5520 Routing on Inside or NONAT problem

        I only mentioned it because your route statement has the destination address as a routed IP address and one of your interfaces is on that subnet (i.e. outside interface). That is all that I meant. Aside from that were you able to resolve your issue?

        Ryan

        Comment

        Working...
        X