I'm having problems accesing other networks off the ASA interfaces. I can VPN in and access anything on the inside interface and beyond into the core. When I try and access a DMZ server off the ASA i get errors about asymmetric NAT. VPN client comes in as an address of 10.112.15.x.
Can anyone help?
I have attached some of the config.
show ip addrress:
GigabitEthernet0/0 outside x.x.x.x 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.112.2.250 255.255.255.0 CONFIG
GigabitEthernet0/2.610 DMZ_External 10.112.7.254 255.255.255.0 CONFIG
GigabitEthernet0/2.620 DMZ_Internal 10.112.6.254 255.255.255.0 CONFIG
GigabitEthernet0/2.640 DMZ_Mgmt 10.112.10.254 255.255.255.0 CONFIG
Elements from config:
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.7.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.10.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.6.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.15.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.112.0.0 255.240.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x. 1
route inside 10.112.0.0 255.240.0.0 10.112.2.254 1
Any pointers on what i'm doing wrong?
The reason is because you do not have a nonat rule for the DMZ traffic.
access-list dmz_nonat permit 10.112.6.0 255.255.255.0
nat (dmz) 0 access-list dmz_nonat
This should fix your issue.