Nat problem

Unanswered Question
Nov 18th, 2008

Hi, I have a problem i have a server (10.20.2.20) on the dmz1 interface of a remote site, but i can not access it from the inside interface. I have posted all the nat rules configured on the firewall asa 5510 7.2 ver. Thus remote ite is connected to our hq with site to site vpn. Hence 10.20.1.0 network must be on the nat 0 rule but how will the inside 10.20.1.0 access 10.20.2.0 network and at the same time our hq through the vpn?

Thank you...

access-list test extended permit ip any any

nat-control

global (outside) 1 interface

nat (inside) 0 access-list test

nat (inside) 1 10.20.1.0 255.255.255.0

static (inside,outside) tcp 192.168.1.2 https 10.20.1.240 https netmask 255.255.255.255

static (inside,outside) tcp 192.168.1.2 www 10.20.1.240 www netmask 255.255.255.255

static (inside,dmz1) 10.20.1.20 10.20.1.20 netmask 255.255.255.255

static (inside,dmz1) 10.20.1.21 10.20.1.21 netmask 255.255.255.255

static (inside,dmz1) 10.20.1.22 10.20.1.22 netmask 255.255.255.255

static (inside,dmz1) 10.20.1.23 10.20.1.23 netmask 255.255.255.255

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

access-group DMZ1 in interface dmz1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
andrew.prince@m... Wed, 11/19/2008 - 02:44

Is the config you posted for the HQ or remote site, as you state "Hi, I have a problem i have a server (10.20.2.20) on the dmz1" but the config states "static (inside,dmz1) 10.20.1.20 10.20.1.20 netmask 255.255.255.255"

Differenet 3rd octets??

michalis1234 Wed, 11/19/2008 - 03:45

The config is for the remote site,

I have tried as well the statement

static (inside,dmz1) 10.20.2.20 10.20.2.20 netmask 255.255.255.255

But it does not work!!!

andrew.prince@m... Wed, 11/19/2008 - 03:48

Firstly

1) You nat statements look the wrong way around, change to:-

static (dmz1,inside) 10.20.2.20 10.20.2.20 netmask 255.255.255.255

2) What is the IP subnet of the HQ site?

3) You have to make sure the remote DMZ IP subnet is in the VPN encryption domains

4) You have to make sure the remote DMZ IP subnet is in the no-nat VPN statements.

Check the above.

michalis1234 Wed, 11/19/2008 - 04:11

1) i did it.

2) 192.x.x.x is the ip addressing of the hq site.

3)?

4) i did that as well

it did not work.

michalis1234 Wed, 11/19/2008 - 04:37

!

interface Ethernet0/0

'outside' vlan port

nameif outside

security-level 0

ip address x.x.x.1 255.255.255.0

!

interface Ethernet0/1

'inside' vlan port

nameif inside

security-level 100

ip address 10.8.1.254 255.255.255.0

!

interface Ethernet0/2

vlan port

nameif dmz1

security-level 50

ip address 10.8.2.253 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.8.10.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.8.1.0 255.255.255.0 10.8.10.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip object-group Local-Network object-group xxxxxk

access-list inside_nat0_outbound extended permit ip 10.8.1.0 255.255.255.0 10.8.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.121.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any object-group SMTP-HTTPS-HTTP host 192.168.1.2

access-list outside_cryptomap_20 extended permit ip object-group Local-Network object-group xxxxx

access-list outside_cryptomap_20 extended permit ip object-group Local-Network host x.x.x.1

access-list dmz1_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound_dyn_vpn extended permit ip 10.8.1.0 255.255.255.0 10.8.10.0 255.255.255.0

access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.239

access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.240

access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.236

access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.237

access-list OUTSIDE_IN extended permit tcp any any eq smtp

access-list OUTSIDE_IN extended permit tcp any any eq https

access-list OUTSIDE_IN extended permit tcp any any eq www

access-list OUTSIDE_IN extended permit tcp any any eq 1801

access-list OUTSIDE_IN extended permit ip host x.x.x.x any

access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.236 any

access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.237 any

access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.240 any

access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.4 any

access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.156 any

access-list INSIDE_ACCESS_IN extended deny tcp any any eq smtp

access-list INSIDE_ACCESS_IN extended permit ip any any

access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.200 any

access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.239 host 10.8.2.250 log

access-list xxxxx extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging trap informational

logging asdm informational

logging host outside x.x.x.x

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu management 1500

icmp permit any outside

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list xxxxx

nat (inside) 1 10.8.1.0 255.255.255.0

static (inside,outside) tcp 192.168.1.2 https 10.8.1.240 https netmask 255.255.255.255

static (inside,outside) tcp 192.168.1.2 www 10.8.1.240 www netmask 255.255.255.255

static (inside,dmz1) 10.8.1.239 10.8.1.239 netmask 255.255.255.255

static (inside,dmz1) 10.8.1.240 10.8.1.240 netmask 255.255.255.255

static (inside,dmz1) 10.8.1.236 10.8.1.236 netmask 255.255.255.255

static (inside,dmz1) 10.8.1.237 10.8.1.237 netmask 255.255.255.255

access-group OUTSIDE_IN in interface outside

access-group INSIDE_ACCESS_IN in interface inside

access-group DMZ1_INSIDE in interface dmz1

andrew.prince@m... Wed, 11/19/2008 - 04:53

what config is this, the dmz IP range is 10.8.x.x not 10.20.x.x and there is not 192.168 ??

Which site is this?

michalis1234 Wed, 11/19/2008 - 04:56

This is the correct remote site before i used examples of ip addresses.

Actions

Login or Register to take actions

This Discussion

Posted November 18, 2008 at 11:27 PM
Stats:
Replies:8 Avg. Rating:
Views:272 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446