×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT problem, anyconnect clients cant reach dmz?

Answered Question
Feb 9th, 2012
User Badges:

Hi,


ASA 8.3


Anyconnect users can reach INSIDE, but not DMZ. Dmz host 10.120.1.2 is what I am trying to reach.


Packet-tracer shows it should be possible. Attaching my asa config.



What am I missing?




¨Packet-tracer:


asa-kalasa# packet-tracer input vpn tcp 172.16.32.4 50545 10.120.1.2 22    



Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.120.1.0      255.255.255.0   dmz



Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_access_in in interface dmz

access-list dmz_access_in extended permit ip any any log disable

Additional Information:



Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 4     

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_access_out out interface vpn

access-list dmz_access_out extended permit ip any any log disable

Additional Information:



Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 32484740, packet dispatched to next module



Result:      

input-interface: dmz

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

Attachment: 
Correct Answer by Julio Carvajal about 5 years 6 months ago

Hello,


On the Nat statements, instead of using the Any Any use the object groups for each network like:


nat (inside,outside) source staticy OFFICE-NET  OFFICE-NET  destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24


Same for the DMZ


Regards,


Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
3moloz123 Thu, 02/16/2012 - 23:58
User Badges:

Bumping this thread. Surely, someone must be able to help me debug this further?

3moloz123 Fri, 02/17/2012 - 00:17
User Badges:

I have isolated the problem to these two rules:



6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 4997, untranslate_hits = 34889

5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 0, untranslate_hits = 0


Here, anyconnect can reach inside, but not dmz. If I however change the order of the nat rules, then anyconnect can reach dmz but not inside.


5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 4997, untranslate_hits = 34889

Correct Answer
Julio Carvajal Fri, 02/17/2012 - 20:05
User Badges:
  • Purple, 4500 points or more

Hello,


On the Nat statements, instead of using the Any Any use the object groups for each network like:


nat (inside,outside) source staticy OFFICE-NET  OFFICE-NET  destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24


Same for the DMZ


Regards,


Julio

3moloz123 Tue, 02/21/2012 - 00:00
User Badges:

Hi jcarvaja!


That did indeed work. Im not sure why any any wouldn't be as good as a match, as it clearly must differ on what interface the packet comes in on. Anyway, thank you for the answer,

Julio Carvajal Tue, 02/21/2012 - 09:24
User Badges:
  • Purple, 4500 points or more

Hello 3moloz,


Glad to hear I could help! yeap usually the any any on a nat statement causes a lot of issues do to arp problems.


Regards,


Julio

Actions

This Discussion