[c-nsp] vs nat on a asa5506-x

Nick Cutting ncutting at edgetg.co.uk
Thu Mar 24 02:59:15 EDT 2016


5505 is a switch with SVI's
5506 is a "proper" firewall, no bridge domain

Can you try it without ANY in both of the interfaces?
Nat MUST be written from higher to lower sec interface to work.
Nat (any,outside) static 87.87.87.87

Or even better, don’t use object NAT, use static/double nat - and put entries for all interfaces.

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen
Sent: 24 March 2016 05:20
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] vs nat on a asa5506-x

Hi all

I’m trying to setup NAT an Cisco asa5506-x, but with out any luck.

I have an interface connected to a vrf with an RFC1918 address, but management from this vrf is using public addresses.

So what I’m trying is making af static nat between these two addresses.

Something like this.:

-------------------------------------

Object network MNG_outside

Host 192.168.1.1

Nat(any,any) static 87.87.87.87

---------------------------------------

But the sessions are being rejected.

The packet-tracer seems to accept the call.

It works on a 5505, but I just get a reset from the 5506.

As far as I know the 5506 is a replacement product for 5505.

Has anyone done something like this on a 5506.


/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list