Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
6
Replies

I have a very strange NAT situation

tbasile
Level 1
Level 1

‎03-19-2010 08:11 AM - edited ‎03-11-2019 10:23 AM

I have two desktops in one  department on one side of an ASA 5505 natted thru to addresses on the other side of the firewall

The ACLs allows ICMP in both directions.  I can remote desktop to one desktop and not the other.  I can ping the same desktop

and not the other.  Has anyone seen this?  Is there a limit to the number of NAT Statements allowed?

Labels:
0 Helpful
6 Replies 6

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-19-2010 08:25 AM

Hi,

There's a limit for the amount of translations but we are talking hundreds.

If you can access one machine but not the other is either two things:

1. Problem with the computer itself (not having default gateway for example or not allowing RD)

2. Misconfiguration on the ASA.

Can you RD to the machine from the same segment where it resides?

Federico.

0 Helpful

tbasile
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-19-2010 09:05 AM

I can remote desktop into both computers when I am on a computer on their side of the firewall.

Computer 1 with an ip of 192.168.1.237 can be pinged, but Computer 2 with an ip of 192.168.1.238 can not.

They are both statically natted through the ASA 5505 to addresses 10.54.209.237 and 10.54.209.238 respectively. I have modified the ACL's to permit IP, TCP, UDP, GRE and ICMP to both those addresses.

Computer 1 is reachable, computer 2 is not.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to tbasile

‎03-19-2010 04:16 PM

1) Can you share the configuration of the ASA?

2) How are these desktops connected? through a switch with VLAN? OR/ switchport on the ASA?

3) Default gateway sets on the desktop which doesn't work, is it the same as the other desktop?

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎03-19-2010 07:27 PM

Hello,

Make sure you have the 2nd PC responding correctly. The best way to check if the ASA is actually getting  packets on its outside interface for the perticular connection or not is via packet captures.

Also, if you have ASA with 7.2 or higher code, you can use packet-tracer to verify the connectivity. Make sure, the hops (router etc) have allowed the connection to IP address of second PC.

Thanks,

Vijaya

0 Helpful

tbasile
Level 1
Level 1
In response to vilaxmi

‎03-22-2010 04:46 AM

Thank you for your response. It turned out the default gateway was wrong on the PC that did not respond.

0 Helpful

tbasile
Level 1
Level 1
In response to Jennifer Halim

‎03-22-2010 04:45 AM

Thank you for your response. It turns out the default gateway was wrong on the PC that did not work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card