Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA NAT problem?

I have two interfaces that I am trying to communicate. VPNaccess is security level 100 and DMZ-50 is a SL50. Default rules. Below are the NATs currently in place. When I try to ping 172.16.50.21 I get the following 305005 No translation group for icmp src VPNaccess:CyndiWS dst DMZ-50:syslog1.

when I try to ping 10.11.2.121 - nothing

TAC told me to put in 'static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0'

that didn't work either.

Any ideas?

interface Ethernet0/2

description vpn access for technicians

nameif VPNaccess

security-level 100

ip address 10.11.2.111 255.255.255.0

!

interface Ethernet0/3

description Logging servers

nameif DMZ-50

security-level 50

ip address 172.16.50.1 255.255.255.0

name 172.16.50.21 syslog1

name 10.31.103.86 CyndiWS

nat-control

global (outside) 15 66.x.x.190 netmask 255.255.255.255

global (inside) 5 172.16.11.190 netmask 255.255.255.255

global (VPNaccess) 10 10.11.2.120 netmask 255.255.255.255

global (DMZ-50) 20 172.16.50.2 netmask 255.255.255.255

static (DMZ-50,outside) 66.x.x.132 inspector netmask 255.255.255.255

static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255

static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

5 REPLIES
New Member

Re: ASA NAT problem?

Try using this static instead of the one the TAC told you:

static (VPNaccess,DMZ-50) 10.11.2.0 10.11.2.0

Green

Re: ASA NAT problem?

That's not the problem. 10.0.0.0/8 and 10.11.2.0/16 would both include the inside host in question.

The problem is you have a destination nat for the host you are pinging in the dmz.

static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255

To ping syslog1 via it's dmz address (172.16.50.21) you would have to remove that destination nat.

Otherwise you have to ping it by 10.11.2.121.

The static that TAC gave you will allow you to ping any other dmz address.

Please rate helpfulp posts.

New Member

Re: ASA NAT problem?

OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works.

I put the static back in and ping 10.11.2.121 and the packet doesn't go through. I have scopes on both sides and it is never presented in the DMZ. Should it work that way?

Green

Re: ASA NAT problem?

"OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works."

-Good.

"I put the static back in and ping 10.11.2.121 and the packet doesn't go through."

-Did you try a clear xlate?

"I have scopes on both sides and it is never presented in the DMZ. Should it work that way?"

-Could you explain what you mean?

New Member

Re: ASA NAT problem?

Make sure 10.11.2.121 is not used by any machine in vpnaccess interface. 10.11.2.121 has to be a free public IP address, otherwise when you try to ping 10.11.2.121, the packets may go to the actual machine rather than going to the PIX.

If if it is indeed a free IP address, then do "debug icmp trace" or collect syslogs as you try to ping 10.11.2.121 and see if the ICMP requests are even reaching the PIX or not.

138
Views
5
Helpful
5
Replies
CreatePlease to create content