ASA5505 Natting query

Unanswered Question
Feb 9th, 2009
User Badges:

hi experts,


we got a ipsec vpn bet our sites that is working for 2 years now without issue. Now we enabled the phone proxy features of the ASA and have it working without problem. However, after adding the phone proxy, we cannot reach the inside network of siteB from the inside(LAN) of siteA. there's a different vlan on the LAN at site A, says the ASA(site A) is on vlan 20 and the pc connected to the 6500 is on vlan 10. the pc on vlan 10 connected to the LAN (6500) cannot ping the inside of site B which was wirking before the phone proxy was enabled.


LAN (6500)---ASA(siteA)---vpn---ASA(siteB)--Lan.


orig config (w/out the phone proxy)

==================

access-list 101 extended permit ip x.x.x.x y.y.y.y

access-list 111 extended permit ip host x.x.x.y host x.y.y.y

nat (inside) 0 access-list 101

access-group 111 in interface outside


w/ phone proxy:

=====================================

access-list 101 extended permit ip x.x.x.x y.y.y.y

access-list 111 extended permit ip host x.x.x.y host x.y.y.y

global (inside) 55 interface

nat (inside) 0 access-list 101

nat (outside) 55 0.0.0.0 0.0.0.0 outside

access-group 111 in interface outside

=========================================


any workaround?


thnx






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
redrobish Tue, 02/17/2009 - 15:42
User Badges:

Hi,


it's already fixed! sorry forgot to update this.


anyway, I've performed PAT on the specific ip address of the phone on the outside going inbound through the firewall instead of performing PAT on all outside traffic going inbound. like this;


nat (outside) 10 x.x.x.x 255.255.255.255 outside

global (inside) 10 interface


thanks andrew for the help though! i'll rate your help...


Actions

This Discussion