We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 599 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


401 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Renee

    Great lab this one … just out of interest I wanted to see what would happen … (the lab was so succcessful i had to try something to mess it up …) … if I also removed the ip default gateway from the host too (as well as removing the default gateway from the webserver) and it still worked … should this have been the case ? and if so can you explain how the #host (ping) could still get to through to the webserver … jsut curious really if you can have a look

    thanks again

  2. Hello AZM

    The ARP request would come from the 3560 router saying “I need the MAC address of the device which has an IP address of” Because ASA0 is configured with the specific NAT configurations, it knows that it must respond to any ARP requests for addresses in the range of to Similarly, ASA1 knows that it is responsible to answer any ARP requests for addresses in the range of to When ASA1 gets the ARP request, it will discard it, while ASA0 will take it and answer with the appropriate MAC address.

    No, this is not possible. If you configured both ASAs to NAT the same external IP address, for example,, then any ARP request coming from the 3560 for this IP address would be responded to by both ASAs. You would essentially have an IP address conflict on the subnet. In order to have this work, the two ASAs must be differentiated based on Port Number, something that cannot be achieved on layers 2 and 3.

    I hope this has been helpful!


  3. Hi @kayoutoure,

    With the ip nat inside source static command, you’ll need an inside local + inside global address. The inside local can be any address that is routable on the inside. For the inside global address, you can pick any IP address that falls within the network of any of your interfaces that has the ip nat outside command. Usually, you’ll pick the IP address on your outside interface, but this is not really required. For example, this also works:

    Let’s create a new loopback:

    NAT(config)#interface loopback 0
    NAT(config-if)#ip nat outside 
    NAT(config-if)#ip address
    NAT(config)#ip nat inside source static 
 belongs to the network on loopback 0. Let’s enable a debug on the “host”:

    HOST#debug ip packet 
    IP packet debugging is on

    And do a quick ping:

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/9 ms

    Which works:

    IP: s= (GigabitEthernet0/1), d=, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

18 more replies! Ask a question or join the discussion by visiting our Community Forum