I'm not sure if this would be more suited in the R&S forums but I figure some
security people must have worked on something similar....
I have an ASA sitting behind a 2800 router with 2 Internet circuits. I'm trying to
NAT everthing from the ASA inbound & outbound.
I can't ping from the DMZ to the inside of the router, icmp is allowed. I can't
see any deny's on the logs either, yet I can see an e-mail appliance (192.168.10.9)
getting NAT'd and I know it's receiving updates:
tcp 83.x.x.69:80 192.168.10.9:80 184.108.40.206:52782 220.127.116.11:52782
I was trying to do the NAT on the ASA but I've wiped that so now there's just a
172.16.90.2 address on the outside interface as well as the Inside (10.1.10.0/24)
and DMZ (192.168.10.0/24) interfaces.
description Link to Outside Interface of ASA
ip address 172.16.90.1 255.255.255.0
ip nat inside
description Primary Circuit
ip address 83.x.x.66 255.255.255.248
ip nat outside
description Backup Circuit
ip address 89.x.x.159 255.255.255.254
ip nat outside
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 83.x.x.64 255.255.255.248 GigabitEthernet0/0
ip route 89.x.x.159 255.255.255.255 GigabitEthernet0/0
ip route 10.1.1.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0
ip nat pool NAT_INT 83.x.x.67 83.x.x.69 prefix-length 29
ip nat inside source list 11 pool NAT_INT overload
access-list 11 permit any
access-list 11 permit 192.168.10.0 0.0.0.255
access-list 11 permit 10.1.1.0 0.0.0.255
access-list 11 permit 172.16.90.0 0.0.0.255
I'm trying to figure out where things are going wrong, the packet-tracer on the ASA
suggests everything is fine there, and there doesn't seem to be a whole lot going on
with the NAT...maybe something on the routing...
Anybody got any ideas?!