Had to PAT (not NAT) inside connections to ACE on DMZ

Unanswered Question

I have an ACE on an ASA DMZ. From my client on the inside, and with NATing on the DMZ interface where the ACE is, I could not hit the ACE (a.k.a wouldn't be served web pages). ACE service-policy doesn't show any hits or client byte counts. However, of the inside connects are PATed (using the DMZ interface), loadbalancing works fine. The NAT pool being used for the DMZ is within the same address range as the interface itself. Subnet masks look good. CSS on the DMZ works fine without PAT. Any ideas why I have to do this for the ACE?

Note: I am also NATing on the ACE for client source addresses.

It is very odd that the ACE wouldn't even show hits with NAT. I could PING the ACE from the ASA prior to PAT.

THANKS for any ideas!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Frederick Reimer Fri, 08/22/2008 - 12:34
User Badges:

It is a little unclear where you are doing the NAT/PAT, on the ASA or on the ACE. I suspect that the NAT/PAT is on the ASA though, and hence this would not be an ACE issue. If you want to post the relevant config (change the IP's if you have to) we can take a look at it.

Frederick Reimer Fri, 08/22/2008 - 13:16
User Badges:

So do you have sysopt proxy arp turned off for the DMZ interface, because that would cause that issue. Send a config.

Frederick Reimer Fri, 08/22/2008 - 19:16
User Badges:

The NAT statements are kind of confused. You have a nat 0 on the inside interface, but the ACL is not defined. Next considered are static NAT and PAT, and there are none between inside and outside-ptz interfaces. Next considered is policy NAT, you have policy NAT on inside interface with ACL ace number 77, which maps to your global for outside-ptz interface PAT. So what's your interface on outside-ptz? Looks like it is 192.168.50.251. However, the other globals for the outsize-ptz interface, presumably what you were trying to NAT to, are 192.168.49.1 - 192.168.49.200. A NAT range, or PAT address, does not have to be physically present on the interface, but there would need to be a route on the ACE (or any other devices) for the 192.168.49.0/24 network pointing back to the ASA (192.168.50.251) in order for that to work.


Actions

This Discussion