|
Posted by tman on June 21, 2008, 12:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I am learning how to configure an ASA 5500. =A0I am having a problem
> with NAT.
>
> It is my understanding that traffic will pass from a more secure
> interface to a less secure interface by default. =A0I wanted hosts on
> the Inside interface to be able to ping hosts on both the Dmz and the
> Outside interfaces. =A0The security levels are:
> Inside 100
> Outside 0
> Dmz 50
>
> I added ICMP to the Class inspection_default
>
> nat by default was:
>
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0
>
> I added nat (dmz) 1 0.0.0.0 0.0.0.0
>
> I can ping hosts on the Outside interface from the Dmz.
> I cannot ping hosts on the Outside interface.
>
> Looks like, with my dim understanding of this, I missed something.
>
> I would appreciate any suggestions.
>
> Thanks
I figured out what the problem was by using that cool tool in the
ASDM, the Packet Tracer. It showed what access-list was stopping the
ping. It was the implied deny any at the end of the access-list that
I had, incorrectly, on the indside interface to allow dns from the
hosts on the dmz. It should have been on the dmz interface.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map