asymmetric NAT issues

Answered Question
Aug 6th, 2010
User Badges:

Hi


I'm having problems accesing other networks off the ASA interfaces.  I can VPN in and access anything on the inside interface and beyond into the core.  When I try and access a DMZ server off the ASA i get errors about asymmetric NAT.  VPN client comes in as an address of 10.112.15.x.


Can anyone help?


I have attached some of the config.


show ip addrress:


GigabitEthernet0/0       outside               x.x.x.x   255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 10.112.2.250    255.255.255.0   CONFIG
GigabitEthernet0/2.610   DMZ_External           10.112.7.254    255.255.255.0   CONFIG
GigabitEthernet0/2.620   DMZ_Internal           10.112.6.254    255.255.255.0   CONFIG
GigabitEthernet0/2.640   DMZ_Mgmt               10.112.10.254   255.255.255.0   CONFIG



Elements from config:


access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.7.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.10.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.6.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.15.0 255.255.255.0


nat-control
global (outside) 1 interface


nat (inside) 0 access-list nonat
nat (inside) 1 10.112.0.0 255.240.0.0


route outside 0.0.0.0 0.0.0.0 x.x.x.x. 1
route inside 10.112.0.0 255.240.0.0 10.112.2.254 1


Any pointers on what i'm doing wrong?


Thanks.

Correct Answer by Nagaraja Thanthry about 6 years 11 months ago

Hello,


The reason is because you do not have a nonat rule for the DMZ traffic.


access-list dmz_nonat permit 10.112.6.0 255.255.255.0


nat (dmz) 0 access-list dmz_nonat


This should fix your issue.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Fri, 08/06/2010 - 07:12
User Badges:
  • Cisco Employee,

Hello,


The reason is because you do not have a nonat rule for the DMZ traffic.


access-list dmz_nonat permit 10.112.6.0 255.255.255.0


nat (dmz) 0 access-list dmz_nonat


This should fix your issue.


Regards,


NT

Actions

This Discussion