Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
5
Helpful
5
Replies

ASA NAT problem?

cmpiontek
Level 1
Level 1

‎08-23-2007 06:24 AM - edited ‎03-11-2019 04:01 AM

I have two interfaces that I am trying to communicate. VPNaccess is security level 100 and DMZ-50 is a SL50. Default rules. Below are the NATs currently in place. When I try to ping 172.16.50.21 I get the following 305005 No translation group for icmp src VPNaccess:CyndiWS dst DMZ-50:syslog1.

when I try to ping 10.11.2.121 - nothing

TAC told me to put in 'static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0'

that didn't work either.

Any ideas?

interface Ethernet0/2

description vpn access for technicians

nameif VPNaccess

security-level 100

ip address 10.11.2.111 255.255.255.0

!

interface Ethernet0/3

description Logging servers

nameif DMZ-50

security-level 50

ip address 172.16.50.1 255.255.255.0

name 172.16.50.21 syslog1

name 10.31.103.86 CyndiWS

nat-control

global (outside) 15 66.x.x.190 netmask 255.255.255.255

global (inside) 5 172.16.11.190 netmask 255.255.255.255

global (VPNaccess) 10 10.11.2.120 netmask 255.255.255.255

global (DMZ-50) 20 172.16.50.2 netmask 255.255.255.255

static (DMZ-50,outside) 66.x.x.132 inspector netmask 255.255.255.255

static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255

static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Labels:
0 Helpful
5 Replies 5

rigoberto.cintron
Level 1
Level 1

‎08-23-2007 06:38 AM

Try using this static instead of the one the TAC told you:

static (VPNaccess,DMZ-50) 10.11.2.0 10.11.2.0

0 Helpful

acomiskey
Level 10
Level 10
In response to rigoberto.cintron

‎08-23-2007 06:54 AM

That's not the problem. 10.0.0.0/8 and 10.11.2.0/16 would both include the inside host in question.

The problem is you have a destination nat for the host you are pinging in the dmz.

static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255

To ping syslog1 via it's dmz address (172.16.50.21) you would have to remove that destination nat.

Otherwise you have to ping it by 10.11.2.121.

The static that TAC gave you will allow you to ping any other dmz address.

Please rate helpfulp posts.

cmpiontek
Level 1
Level 1
In response to acomiskey

‎08-23-2007 07:09 AM

OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works.

I put the static back in and ping 10.11.2.121 and the packet doesn't go through. I have scopes on both sides and it is never presented in the DMZ. Should it work that way?

0 Helpful

acomiskey
Level 10
Level 10
In response to cmpiontek

‎08-23-2007 07:17 AM

"OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works."

-Good.

"I put the static back in and ping 10.11.2.121 and the packet doesn't go through."

-Did you try a clear xlate?

"I have scopes on both sides and it is never presented in the DMZ. Should it work that way?"

-Could you explain what you mean?

0 Helpful

hsajwan
Level 1
Level 1
In response to cmpiontek

‎08-23-2007 01:01 PM

Make sure 10.11.2.121 is not used by any machine in vpnaccess interface. 10.11.2.121 has to be a free public IP address, otherwise when you try to ping 10.11.2.121, the packets may go to the actual machine rather than going to the PIX.

If if it is indeed a free IP address, then do "debug icmp trace" or collect syslogs as you try to ping 10.11.2.121 and see if the ICMP requests are even reaching the PIX or not.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card