I'm having a little problem with getting traffic to flow out of a 3rd interface on my cisco ASA.
I have my networks set up like this.
inside (sec-100)- internal lan
outside(sec-0)- public / internet
WAN (sec-100) - ethernet link to MPLS network to remote offices (ISP assinged private address)
Ok so i'm getting confused with my NAT rules here. The routing is fine. The IP scheme of the network is as follows.
10.216.12.x /24 - inside
203.x.x.x /30 - outside
10.226.x.x /30 -WAN
10.226.x.x /30 - WAN interface at remote sites
inside interfaces at remote sites 10.216.x.0 /24 (x being different numbers) each router has static routes (10.216.x.0 /24) to each othes WAN interface.
All sites can route between one another fine.
I can ping from the ASA out of the WAN interface to any device, although when trying to make connections to hosts using VNC for example, i will see these debug errors.
6 Dec 17 2007 16:09:01 305011 10.216.12.145 10.224.33.146 Built dynamic TCP translation from inside:10.216.12.145/2598 to TMP-WAN(inside_nat_outbound):10.224.33.146/1027
6 Dec 17 2007 16:09:01 302013 10.216.12.145 10.216.32.101 Built inbound TCP connection 663 for inside:10.216.12.145/2598 (10.224.33.146/1027) to TMP-WAN:10.216.32.101/5900 (10.216.32.101/5900)
6 Dec 17 2007 16:09:06 305012 10.216.12.145 10.216.12.222 Teardown dynamic TCP translation from inside:10.216.12.145/2596 to inside(inside_nat_outbound):10.216.12.222/1134 duration 0:01:00
6 Dec 17 2007 16:09:06 305012 10.216.12.145 10.216.12.222 Teardown dynamic TCP translation from inside:10.216.12.145/2597 to inside(inside_nat_outbound):10.216.12.222/1135 duration 0:01:00
I am guessing a NAT issue. Can someone clarify what NAT rules i should have on the 3 interfaces and show examples because i really suck with NAT commands and get confused easily.
I used ASDM to set this router up, and now there's a bunch of random ACLs i can see in the config which i am not sure what they are doing there. Here is relevant config, can someone please advise what could be stopping traffic across the WAN link (but allowing ping)?
note: 10.216.132.x 136.x and 140.x are site to site VPNs if anyone is wondering why they are in there.
ANY INSIGHT would be greatly appreciated.