The error message is generated because you are connecting from EXT to PROD and on the initial direction the connection possibly doesnt match any NAT rule but the reverse check for NAT matches the above "nat" configuration you mentioned. The same NAT should be matched for both directions of the traffic and naturally when you have a Dynamic PAT facing from one network to the other then there is problem.
You are essentially first telling the ASA with the "nat" command that the whole PROD network should be hidden behind a PAT address towards EXT but you are trying to connect to the PROD from behind the EXT even though you just configured that the hosts on PROD should be hidden behind PAT.
Typically I would not even configure any NAT between different local interfaces and I am wondering why you want to do Dynamic PAT between your local interfaces? Wouldnt it be easier to allow them to connect with their original IP addresses?
this is a good question: the EXT-DMZ Interface is also connected to internet public networks (this is an architecture limit).
For this reason in some cases I need to reach the original Ip because connection is starting from the Ext Dmz hosts, in other cases I don't need to reach the orignal Ip but I need to translate the Dmz-production Ip with the external Dmz Interface Ip to reach the Internet public network.
Are you saying that behind the EXT-DMZ there is an another gateway out of the network that those devices use and you need the Dynamic PAT so the traffic from PROD-DMZ appears to the EXT-DMZ hosts coming from the directly connected network?
Or did I missunderstand the setup completely?
If this is the situation then I think you first need to determine all the PROD-DMZ hosts that need to be connected to using their original/local IP address from EXT-DMZ. Then you will have to configure a Static Policy NAT between PROD-DMZ and EXT-DMZ on a higher priority/order than the existing Dynamic PAT. This would enable these hosts to connect with original IP address while the Dynamic PAT would also function.
Hopefully I have not mistaken something. Already confusing myself between the DMZs
For example from the DB server (ip 10.112.2.2) I cannot reach the real ip 10.112.1.20.
Consider that on the Checkpoint firewall the NAT rule is already implemented and is working correctly only when an internal host ip try to reach the external server ip address while the real http server (10.112.1.20) ip can be used for all the other interfaces (and also from the internal lan).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...