08-22-2008 12:09 PM
I have an ACE on an ASA DMZ. From my client on the inside, and with NATing on the DMZ interface where the ACE is, I could not hit the ACE (a.k.a wouldn't be served web pages). ACE service-policy doesn't show any hits or client byte counts. However, of the inside connects are PATed (using the DMZ interface), loadbalancing works fine. The NAT pool being used for the DMZ is within the same address range as the interface itself. Subnet masks look good. CSS on the DMZ works fine without PAT. Any ideas why I have to do this for the ACE?
Note: I am also NATing on the ACE for client source addresses.
It is very odd that the ACE wouldn't even show hits with NAT. I could PING the ACE from the ASA prior to PAT.
THANKS for any ideas!
08-22-2008 12:34 PM
It is a little unclear where you are doing the NAT/PAT, on the ASA or on the ACE. I suspect that the NAT/PAT is on the ASA though, and hence this would not be an ACE issue. If you want to post the relevant config (change the IP's if you have to) we can take a look at it.
08-22-2008 01:08 PM
I ended up PATing addresses on the ASA, rather than using NAT on the ASA. So for clients on the inside interface, I PAT them out the ASA DMZ using the ASA DMZ interface address. The ACE is directly hung off the ASA (via L2 switch). Everything is a class c address on a 192.168.50.0 network.
08-22-2008 01:16 PM
So do you have sysopt proxy arp turned off for the DMZ interface, because that would cause that issue. Send a config.
08-22-2008 01:50 PM
08-22-2008 07:16 PM
The NAT statements are kind of confused. You have a nat 0 on the inside interface, but the ACL is not defined. Next considered are static NAT and PAT, and there are none between inside and outside-ptz interfaces. Next considered is policy NAT, you have policy NAT on inside interface with ACL ace number 77, which maps to your global for outside-ptz interface PAT. So what's your interface on outside-ptz? Looks like it is 192.168.50.251. However, the other globals for the outsize-ptz interface, presumably what you were trying to NAT to, are 192.168.49.1 - 192.168.49.200. A NAT range, or PAT address, does not have to be physically present on the interface, but there would need to be a route on the ACE (or any other devices) for the 192.168.49.0/24 network pointing back to the ASA (192.168.50.251) in order for that to work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide