Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
6
Replies

ASA nat between interfaces

Go to solution
tholmes
Level 1
Level 1

‎09-09-2009 09:39 AM - edited ‎03-11-2019 09:13 AM

Hello,

Can someone please help me solve this weird problem?

when I ping from a device on DMZ2 192.168.100.1 to a device on DMZ1 192.168.12.112

the ASA thinks the reply is coming from the inside network and so doesn't translate the response!

I've had to sub-interface g0/2 as I'd run out of interfaces.

interface GigabitEthernet0/2

no nameif

security-level 50

no ip address

!

interface GigabitEthernet0/2.1

vlan 3

nameif dmz1

security-level 50

ip address 192.168.12.1 255.255.255.0

!

interface GigabitEthernet0/2.2

vlan 2

nameif dmz2

security-level 40

ip address 192.168.100.254 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz1 extended permit icmp any any

access-list dmz2 extended permit ip any any

access-list dmz1_dmz2 extended permit ip 192.168.12.0 255.255.255.0 192.168.100.0 255.255.252.0

access-list dmz2_dmz1 extended permit ip 192.168.100.0 255.255.252.0 192.168.12.0 255.255.255.0

nat (dmz1) 0 access-list dmz1_dmz2

nat (dmz2) 0 access-list dmz2_dmz1

access-group dmz1 in interface dmz1

access-group dmz2 in interface dmz2

static (dmz,outside) XX.YYY.XXX.112 192.168.12.112 netmask 255.255.255.255

Stange though, if I ping the Public IP address is works, but I need to use the real IP address

Syslog = 305006 192.168.100.1 regular translation creation failed for icmp src inside:192.168.12.112 dst dmz2:192.168.100.1 (type 0, code 0)

This is a cutdown version, everything else works fine, devices on the Inside and both DMZs can get to the Internet ok

Any help or advice would be much appreciated

Regards Tony

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎09-09-2009 10:47 AM

no access-list dmz1_dmz2 extended permit ip 192.168.12.0 255.255.255.0 192.168.100.0 255.255.252.0

no access-list dmz2_dmz1 extended permit ip 192.168.100.0 255.255.252.0 192.168.12.0 255.255.255.0

no nat (dmz1) 0 access-list dmz1_dmz2

no nat (dmz2) 0 access-list dmz2_dmz1

static (dmz1,dmz2) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

View solution in original post

0 Helpful
6 Replies 6

Go to solution
acomiskey
Level 10
Level 10

‎09-09-2009 10:47 AM

no access-list dmz1_dmz2 extended permit ip 192.168.12.0 255.255.255.0 192.168.100.0 255.255.252.0

no access-list dmz2_dmz1 extended permit ip 192.168.100.0 255.255.252.0 192.168.12.0 255.255.255.0

no nat (dmz1) 0 access-list dmz1_dmz2

no nat (dmz2) 0 access-list dmz2_dmz1

static (dmz1,dmz2) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

0 Helpful

Go to solution
tholmes
Level 1
Level 1
In response to acomiskey

‎09-10-2009 12:28 AM

Hello, there Acomiskey

Thanks for the reply, I'll give it a go and let you know

Cheers Tony

0 Helpful

Go to solution
tholmes
Level 1
Level 1
In response to tholmes

‎09-10-2009 07:15 AM

Hi,

I made those changes but no difference, the ASA still thinks the return packet is coming from the Inside and not the DMZ so it drops it.

Thanks anyhow

Cheers Tony

0 Helpful

Go to solution
acomiskey
Level 10
Level 10

‎09-10-2009 06:51 AM

What does the rest of your interface

config look like?

0 Helpful

Go to solution
tholmes
Level 1
Level 1
In response to acomiskey

‎09-10-2009 07:46 AM

Hi,

Its pretty standard, I've used sub interfaces on another firewall recently, same code too, without problems

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address XXX.YYY.ZZZ.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.253 255.255.255.0

!

interface GigabitEthernet0/2

no nameif

security-level 50

no ip address

!

interface GigabitEthernet0/2.1

description *** Link for SQL Server VLAN 3 ***

vlan 3

nameif dmz1

security-level 50

ip address 192.168.12.1 255.255.255.0

!

interface GigabitEthernet0/2.2

description *** Link for VIP DMZ ***

vlan 2

nameif dmz2

security-level 50

ip address 192.168.100.254 255.255.255.0

!

I added a line to the inside ACL to allow 192.168.12.0 through to 192.168.100.0 just to see what happens, the FW then rejected the reply with the following syslog message.

305006 192.168.100.1 regular translation creation failed for icmp src inside:192.168.12.112 dst dmz2:192.168.100.1 (type 0, code 0)

Makes no sense

Cheers Tony

0 Helpful

Go to solution
tholmes
Level 1
Level 1
In response to tholmes

‎09-14-2009 08:43 AM

It makes sense now.

The end user has 2 NICs in his DMZ servers, 1 into the DMZ and the other into the Inside (not very secure!)

This means return traffic was coming in via the d/g which was pointing to the Inside interface.

Many thanks for your help and taking the time to make some suggestions

Much apprecaited

Tony

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card