ASA - NAT rule problem

Mohamed Hamid · ‎04-20-2012

Hi Guys

I have a DMZ and a Clientnetwork in place, I require that my proxy servers in the DMZ be able to authenticate with my ldap server in the clietnnetwork.

I have created a NAT rule as follows

interface (clientNetwork) Ldap Server >> Interface (DMZ) Translated IP

I would expect that my proxy server would then be able to ping the translated IP but this is not hte case. Do I also need to create an access rule? or am I missing something?

Apologies if this question is a simple one but I am new to cisco asas and slowly getting by

Your help would be much appreciated

Kind Regards

Ridha

varrao · ‎04-20-2012

Can you share the following outputs:

show run nat

show run static

show run global

show ip

this would help me.

Thanks,

Varun

Thanks,
Varun Rao

Mohamed Hamid · ‎04-20-2012

Hi Varun

Please find outputs below

nat (dmzdata) 0 access-list ALLRAS

nat (AHdata) 0 access-list ALLRAS

nat (AHdata) 1 10.0.1.0 255.255.255.0

nat (dmzAHmgmt) 0 access-list ALLRAS

nat (dmzAHmgmt) 1 10.1.2.0 255.255.255.0

nat (AHmgmt) 0 access-list ALLRAS

nat (AHmgmt) 1 10.1.1.0 255.255.255.0

asa-L# sh run static

static (dmzdata,AHmgmt) 10.1.1.37 ProxyVIP netmask 255.255.255.255

static (AHdata,dmzdata) 192.168.9.9 macserver netmask 255.255.255.255

global (dmzdata) 1 interface

global (AHdata) 1 interface

global (dmzmgmt) 1 interface

global (AHmgmt) 1 interface

System IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet0/0 dmzdata x 255.255.255.0 CONFIG

GigabitEthernet0/1 AHdata x 255.255.255.0 manual

GigabitEthernet0/2 dmzmgmt x 255.255.255.0 CONFIG

GigabitEthernet0/3 folink x 255.255.255.0 unset

Management0/0 AHmgmt x 255.255.255.0 CONFIG

Mohamed Hamid · ‎04-20-2012

Hi there

just to add it appears a ping request from the proxy server is being denied by the ACL on the asa.

I can see this from the syslog and thus suggests I need to enable or add something in the acl as well as the NAT rule?