ASA - NAT rule problem

Unanswered Question
Apr 20th, 2012
User Badges:

Hi Guys

I have a DMZ and a Clientnetwork in place, I require that my proxy servers in the DMZ be able to authenticate with my ldap server in the clietnnetwork.

I have created a NAT rule as follows

interface (clientNetwork) Ldap Server >> Interface (DMZ) Translated IP

I would expect that my proxy server would then be able to ping the translated IP but this is not hte case. Do I also need to create an access rule? or am I missing something?

Apologies if this question is a simple one but I am new to cisco asas and slowly getting by

Your help would be much appreciated

Kind Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
varrao Fri, 04/20/2012 - 08:07
User Badges:
  • Red, 2250 points or more

Can you share the following outputs:

show run nat

show run static

show run global

show ip

this would help me.



Mohamed Hamid Fri, 04/20/2012 - 08:24
User Badges:

Hi Varun

Please find outputs below

nat (dmzdata) 0 access-list ALLRAS

nat (AHdata) 0 access-list ALLRAS

nat (AHdata) 1

nat (dmzAHmgmt) 0 access-list ALLRAS

nat (dmzAHmgmt) 1

nat (AHmgmt) 0 access-list ALLRAS

nat (AHmgmt) 1

asa-L# sh run static

static (dmzdata,AHmgmt) ProxyVIP netmask

static (AHdata,dmzdata) macserver netmask

global (dmzdata) 1 interface

global (AHdata) 1 interface

global (dmzmgmt) 1 interface

global (AHmgmt) 1 interface

System IP Addresses:

Interface                Name                   IP address      Subnet mask                                               Method

GigabitEthernet0/0       dmzdata                x                                               CONFIG

GigabitEthernet0/1       AHdata                 x                                               manual

GigabitEthernet0/2       dmzmgmt                x                                               CONFIG

GigabitEthernet0/3       folink                 x                                             unset

Management0/0            AHmgmt                 x                                               CONFIG

Mohamed Hamid Fri, 04/20/2012 - 08:41
User Badges:

Hi there

just to add it appears a ping request from the proxy server is being denied by the ACL on the asa.

I can see this from the syslog and thus suggests I need to enable or add something in the acl as well as the NAT rule?


This Discussion