Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
5
Replies

Had to PAT (not NAT) inside connections to ACE on DMZ

mmertens
Level 1
Level 1

‎08-22-2008 12:09 PM

I have an ACE on an ASA DMZ. From my client on the inside, and with NATing on the DMZ interface where the ACE is, I could not hit the ACE (a.k.a wouldn't be served web pages). ACE service-policy doesn't show any hits or client byte counts. However, of the inside connects are PATed (using the DMZ interface), loadbalancing works fine. The NAT pool being used for the DMZ is within the same address range as the interface itself. Subnet masks look good. CSS on the DMZ works fine without PAT. Any ideas why I have to do this for the ACE?

Note: I am also NATing on the ACE for client source addresses.

It is very odd that the ACE wouldn't even show hits with NAT. I could PING the ACE from the ASA prior to PAT.

THANKS for any ideas!

Labels:
0 Helpful
5 Replies 5

Frederick Reimer
Level 4
Level 4

‎08-22-2008 12:34 PM

It is a little unclear where you are doing the NAT/PAT, on the ASA or on the ACE. I suspect that the NAT/PAT is on the ASA though, and hence this would not be an ACE issue. If you want to post the relevant config (change the IP's if you have to) we can take a look at it.

0 Helpful

mmertens
Level 1
Level 1
In response to Frederick Reimer

‎08-22-2008 01:08 PM

I ended up PATing addresses on the ASA, rather than using NAT on the ASA. So for clients on the inside interface, I PAT them out the ASA DMZ using the ASA DMZ interface address. The ACE is directly hung off the ASA (via L2 switch). Everything is a class c address on a 192.168.50.0 network.

0 Helpful

Frederick Reimer
Level 4
Level 4
In response to mmertens

‎08-22-2008 01:16 PM

So do you have sysopt proxy arp turned off for the DMZ interface, because that would cause that issue. Send a config.

0 Helpful

mmertens
Level 1
Level 1
In response to Frederick Reimer

‎08-22-2008 01:50 PM

I scrubbed the config pretty well. I didn't see any sysopt or proxy arp command. I appreciate you taking a look!

Mike.

Preview file
17 KB
0 Helpful

Frederick Reimer
Level 4
Level 4
In response to mmertens

‎08-22-2008 07:16 PM

The NAT statements are kind of confused. You have a nat 0 on the inside interface, but the ACL is not defined. Next considered are static NAT and PAT, and there are none between inside and outside-ptz interfaces. Next considered is policy NAT, you have policy NAT on inside interface with ACL ace number 77, which maps to your global for outside-ptz interface PAT. So what's your interface on outside-ptz? Looks like it is 192.168.50.251. However, the other globals for the outsize-ptz interface, presumably what you were trying to NAT to, are 192.168.49.1 - 192.168.49.200. A NAT range, or PAT address, does not have to be physically present on the interface, but there would need to be a route on the ACE (or any other devices) for the 192.168.49.0/24 network pointing back to the ASA (192.168.50.251) in order for that to work.

0 Helpful
Customers Also Viewed These Support Documents