The "outside" keyword has nothing to do with the inside rule. When you configure a dynamic NAT rule for traffic from an interface of lower security to an interface higher security, then you need to add the "outside" keyword.
Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065667 *outside*—If this interface is on a lower security level than the interface you identify by the matching *global* statement, then you must enter * outside* to identify the NAT instance as outside NAT. With regards Kings On Mon, Aug 8, 2011 at 12:03 AM, Adil Pasha <[email protected]> wrote: > Thanks guys, > > I did not get the syntax "outside" at the end. We do not use this as I have > "nat (inside) 1 access-list 101" configured. > > Fawad, > Here is my current working config. > > access-list 101 extended permit ip host 202.2.2.2 host 11.11.11.11 > access-list 102 extended permit ip host 202.2.2.2 host 10.11.11.1 > access-list nonat extended permit ip host 11.11.11.11 host 202.2.2.2 > access-list nonat extended permit ip host 10.11.11.1 host 202.2.2.2 > > static (Outside,Inside) 10.22.22.202 access-list 101 <<< I want to use > "nat (outside) and global (inside) command, instead of this config >>> > static (Outside,Inside) 10.22.22.222 access-list 102 > > nat (Inside) 0 access-list nonat > nat (Inside) 1 0.0.0.0 0.0.0.0 > > > Best Regards. > ______________________ > Adil > > On Aug 7, 2011, at 1:32 PM, 'Segun Daini wrote: > > Try this: > > nat (outside) 1 access-list 101 outside > > Youre missing the "outside" keyword. > > Regards. > > ------------------------------ > *From:* Adil Pasha <[email protected]> > *To:* Fawad Khan <[email protected]> > *Cc:* CCIE Security Maillist <[email protected]> > *Sent:* Sunday, August 7, 2011 6:00 PM > *Subject:* Re: [OSL | CCIE_Security] NAT (outside)? > > Thanks Fawad, > > It does accept the config but it does not work though. > > This is the first time I am using nat (outside) which I saw in IPX lab 17. > > > Best Regards. > ______________________ > Adil > > On Aug 7, 2011, at 12:46 PM, Fawad Khan wrote: > > I am sure, this is just a warning, it must have accepted the configuration. > do a show run nat and show run global and find it out. > > Usually even the firewall assumes that one will use nat inside and global > outside. > > > my two cents.. good luck. > > FNK > On Sun, Aug 7, 2011 at 12:04 PM, Adil Pasha <[email protected]> wrote: > > My ASA already has nat (inside) 1 access-list 101 configured. > > When I try to configure nat(outside) with global (inside) I get the > following error: > > ASA1(config)# global (inside) 1 10.22.22.202 > INFO: Global 10.22.22.202 will be Port Address Translated > ASA1(config)# > ASA1(config)# nat (outside) 1 access-list 101 > WARNING: Binding inside nat statement to outermost interface. > WARNING: Keyword "outside" is probably missing. > ASA1(config)# > > Is it because we can ONLY have either nat (inside) or nat (outside) in one > time or can we have both at the same time? > > If we can have both at the same time then why am I getting the above error? > > By the way, if I use static (outside,inside) command it works and I can > achieve the NAT goal. > > Best Regards. > ______________________ > Adil > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
