ASA 5510 Without NAT and Same Sucrity Level

Answered Question
Jul 28th, 2009
User Badges:

Hi Team,

Can you please assist me in the following

I have ASA5510 with below confiuration

Inside:10.30.0.x/24

VPN:10.1.48.218

Outside:a.a.a.a

Internet connectivity is workin gperfactly fine with NAT translation.

VPN interface connects to a VPN Link and destination network is 10.10.10.x/24. I have configured the interface and routing in ASA but no luck with reaching the destination network 10.10.10.x/24. I do not want traffic to be NATed when it goes on VPN link though VPN interface.

runn config below

----------------------


dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address a.a.a.a 255.255.255.252

!

interface Ethernet0/1

description Inside Network

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

!

interface Ethernet0/2

description VPN

nameif VPN

security-level 0

ip address 10.1.48.218 255.255.255.252

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address


!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server m.m.m.m

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object gre

access-list out extended permit tcp any host a.a.a.a eq 3389 log disable

access-list out extended permit icmp any any

access-list out extended permit gre any 10.30.0.0 255.255.255.0

access-list out extended permit ip any 10.30.0.0 255.255.255.0

access-list inside extended permit icmp any any

access-list inside_access_in extended permit icmp 10.30.0.0 255.255.255.0 any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1


10.30.0.0 255.255.255.0 any

access-list VPN_access_in extended permit ip any 10.30.0.0 255.255.255.0 log disable

pager lines 24

logging enable

logging asdm critical

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu VPN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask 255.255.255.255

access-group out in interface outside

access-group inside_access_in in interface inside

access-group VPN_access_in in interface VPN

route outside 0.0.0.0 0.0.0.0 b.b.b.b 1

route inside 10.10.10.0 255.255.255.0 10.1.48.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5


ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

----------------------

Thanks

Correct Answer by vikram_anumukonda about 8 years 2 days ago

looks like a nat issue, but you will get a clear picture by looking at the logs.


you should also try nat exemption

hostname(config)# access-list EXEMPT permit ip w.x.y.z netmask a.b.c.d netmask


hostname(config)# nat (inside) 0 access-list EXEMPT



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vikram_anumukonda Tue, 07/28/2009 - 20:48
User Badges:
  • Bronze, 100 points or more

Is this route statement correct "route inside 10.10.10.0 255.255.255.0 10.1.48.217 1 "


shouldn't it be "route VPN 10.10.10.0 255.255.255.0 10.1.48.217 1 " instead.



tariqmansoor Tue, 07/28/2009 - 21:11
User Badges:

Sorry about that, Yes route is

route VPN 10.10.10.0 255.255.255.0 10.1.48.217 1


I tried to change to check if it works,

It is back on

route VPN 10.10.10.0 255.255.255.0 10.1.48.217 1

now.


Do you think it would be NAT related issue, as Packets get NAT first ?


Thanks,

Correct Answer
vikram_anumukonda Tue, 07/28/2009 - 21:50
User Badges:
  • Bronze, 100 points or more

looks like a nat issue, but you will get a clear picture by looking at the logs.


you should also try nat exemption

hostname(config)# access-list EXEMPT permit ip w.x.y.z netmask a.b.c.d netmask


hostname(config)# nat (inside) 0 access-list EXEMPT



Actions

This Discussion