asymmetric NAT issues

Answered Question
Aug 6th, 2010

Hi

I'm having problems accesing other networks off the ASA interfaces.  I can VPN in and access anything on the inside interface and beyond into the core.  When I try and access a DMZ server off the ASA i get errors about asymmetric NAT.  VPN client comes in as an address of 10.112.15.x.


Can anyone help?

I have attached some of the config.

show ip addrress:

GigabitEthernet0/0       outside               x.x.x.x   255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 10.112.2.250    255.255.255.0   CONFIG
GigabitEthernet0/2.610   DMZ_External           10.112.7.254    255.255.255.0   CONFIG
GigabitEthernet0/2.620   DMZ_Internal           10.112.6.254    255.255.255.0   CONFIG
GigabitEthernet0/2.640   DMZ_Mgmt               10.112.10.254   255.255.255.0   CONFIG

Elements from config:

access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.7.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.10.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.6.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.15.0 255.255.255.0

nat-control
global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 10.112.0.0 255.240.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x. 1
route inside 10.112.0.0 255.240.0.0 10.112.2.254 1

Any pointers on what i'm doing wrong?

Thanks.

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 5 months ago

Hello,

The reason is because you do not have a nonat rule for the DMZ traffic.

access-list dmz_nonat permit 10.112.6.0 255.255.255.0

nat (dmz) 0 access-list dmz_nonat

This should fix your issue.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Fri, 08/06/2010 - 07:12

Hello,

The reason is because you do not have a nonat rule for the DMZ traffic.

access-list dmz_nonat permit 10.112.6.0 255.255.255.0

nat (dmz) 0 access-list dmz_nonat

This should fix your issue.

Regards,

NT

Actions

This Discussion