Re: [OSL | CCIE_Security] 8.2 static outside NAT

Mon, 22 Apr 2013 14:51:54 -0700 

Did you try swapping the NAT statement (inside,outside).  Proxy arp would need 
to be enabled on the outside device for your NAT setup this way.

If that doesn't fix it, what ARP address does your device on the outside of the 
ASA see?  I'm assuming this isn't a context firewall, but just a single, routed 
mode, firewall.  
 
 
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
 


________________________________
 From: Joe Astorino <[email protected]>
To: OSL Security <[email protected]> 
Sent: Monday, April 22, 2013 2:50 PM
Subject: [OSL | CCIE_Security] 8.2 static outside NAT
 


I could really use some clarification here. Here is my setup


ASA running 8.2 code.  nat-control is not enforced.  Requirement is that 
traffic destined to 192.168.10.241 on the inside will have the destination 
translated to 10.12.20.56 on the outside.  Conversely, traffic sourced from 
10.12.20.56 on the outside will have it's source translated to 192.168.10.241 
on the inside.


My solution


static (outside,inside) 192.168.10.241 10.12.20.56 netmask 255.255.255.255



Now, I assumed going from inside --> outside routing happens first.  So, I 
added a route like so
route (outside) 192.168.10.241 255.255.255.255 outside_next_hop


This failed to work.  Only when I add a static route pointing outside for the 
REAL address does this work.  This is baffling me.


Also, when running packet-tracer the first step is UN-NAT which I've never 
heard of before and can't find much information on.  Can anybody explain why 
routing is happening POST nat here???

-- 
Regards,

Joe Astorino
CCIE #24347
http://astorinonetworks.com

"He not busy being born is busy dying" - Dylan

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to