Re: Bidirectional NAT from ccienovice_at_gmail.com on 2011-11-23 (Ccielab archives 11/2011)

From: <ccienovice_at_gmail.com>
Date: Wed, 23 Nov 2011 10:41:19 +0000

Hi Karim,

We have 2 ISP's coming on 2 different Routers. Each router is connecting to a firewall respectively. Both the firewalls are connecting to a L3 switch. L3 switch is load balancing the traffic. When the traffic is initiated from outside to internal servers the traffic is dropped due to TCP inspection on firewall. Now as destination is fixed for internal server we can add static route on L3 switch.

Cheers,
Nick
Sent on my BlackBerry. from Vodafone

-----Original Message-----
From: Karim Jamali <karim.jamali_at_gmail.com>
Date: Wed, 23 Nov 2011 13:20:24
To: Nick E<ccienovice_at_gmail.com>
Cc: <ccielab_at_groupstudy.com>
Subject: Re: Bidirectional NAT

Hi Nick,

The static nat is bidirectional by nature, i.e. it doesn't really care
where the connection is initiated from. I don't see the value of the other
nat statements. You would only need an access-list to permit traffic from
the outside zone to the server.

Thanks

On Tue, Nov 22, 2011 at 7:19 PM, Nick E <ccienovice_at_gmail.com> wrote:

> Hi,
>
> I have configured bidirectional NAT on ASA. The configuration is as
> follows:-
>
> ======================
> nat (outside) 4 access-list OUT-TO-SVR outside
> !
> global (inside) 4 172.30.30.1
> !
> access-list OUT-TO-SVR extended permit ip any host 192.168.10.1
> !
> static (inside,outside) 192.168.10.1 172.30.10.1 netmask 255.255.255.255
> ========================
>
> I am facing problem where the local ip is not getting translated to global
> but from internet the server is reachable. To be precise, server can't
> access internet but from internet the server is reachable.
>
> Please find the logs as follows:-
>
> %ASA-3-305005: No translation group found for icmp src INSIDE:172.30.10.1
> dst OUTSIDE:203.199.44.37 (type 8, code 0)
>
> Thanks in advance
>
> Regards,
> Nikhil
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Wed Nov 23 2011 - 10:41:19 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART