Thanks Kingsley.
Best Regards. ______________________ Adil On Aug 8, 2011, at 1:07 AM, Kingsley Charles wrote: > The "outside" keyword has nothing to do with the inside rule. > > When you configure a dynamic NAT rule for traffic from an interface of lower > security to an interface higher security, then you need to add the "outside" > keyword. > > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065667 > > outside—If this interface is on a lower security level than the interface you > identify by the matching global statement, then you must enter outside to > identify the NAT instance as outside NAT. > > With regards > Kings > > On Mon, Aug 8, 2011 at 12:03 AM, Adil Pasha <[email protected]> wrote: > Thanks guys, > > I did not get the syntax "outside" at the end. We do not use this as I have > "nat (inside) 1 access-list 101" configured. > > Fawad, > Here is my current working config. > > access-list 101 extended permit ip host 202.2.2.2 host 11.11.11.11 > access-list 102 extended permit ip host 202.2.2.2 host 10.11.11.1 > access-list nonat extended permit ip host 11.11.11.11 host 202.2.2.2 > access-list nonat extended permit ip host 10.11.11.1 host 202.2.2.2 > > static (Outside,Inside) 10.22.22.202 access-list 101 <<< I want to use > "nat (outside) and global (inside) command, instead of this config >>> > static (Outside,Inside) 10.22.22.222 access-list 102 > > nat (Inside) 0 access-list nonat > nat (Inside) 1 0.0.0.0 0.0.0.0 > > > Best Regards. > ______________________ > Adil > > On Aug 7, 2011, at 1:32 PM, 'Segun Daini wrote: > >> Try this: >> >> nat (outside) 1 access-list 101 outside >> >> Youre missing the "outside" keyword. >> >> Regards. >> >> From: Adil Pasha <[email protected]> >> To: Fawad Khan <[email protected]> >> Cc: CCIE Security Maillist <[email protected]> >> Sent: Sunday, August 7, 2011 6:00 PM >> Subject: Re: [OSL | CCIE_Security] NAT (outside)? >> >> Thanks Fawad, >> >> It does accept the config but it does not work though. >> >> This is the first time I am using nat (outside) which I saw in IPX lab 17. >> >> >> Best Regards. >> ______________________ >> Adil >> >> On Aug 7, 2011, at 12:46 PM, Fawad Khan wrote: >> >>> I am sure, this is just a warning, it must have accepted the configuration. >>> do a show run nat and show run global and find it out. >>> >>> Usually even the firewall assumes that one will use nat inside and global >>> outside. >>> >>> >>> my two cents.. good luck. >>> >>> FNK >>> On Sun, Aug 7, 2011 at 12:04 PM, Adil Pasha <[email protected]> wrote: >>> My ASA already has nat (inside) 1 access-list 101 configured. >>> >>> When I try to configure nat(outside) with global (inside) I get the >>> following error: >>> >>> ASA1(config)# global (inside) 1 10.22.22.202 >>> INFO: Global 10.22.22.202 will be Port Address Translated >>> ASA1(config)# >>> ASA1(config)# nat (outside) 1 access-list 101 >>> WARNING: Binding inside nat statement to outermost interface. >>> WARNING: Keyword "outside" is probably missing. >>> ASA1(config)# >>> >>> Is it because we can ONLY have either nat (inside) or nat (outside) in one >>> time or can we have both at the same time? >>> >>> If we can have both at the same time then why am I getting the above error? >>> >>> By the way, if I use static (outside,inside) command it works and I can >>> achieve the NAT goal. >>> >>> Best Regards. >>> ______________________ >>> Adil >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
