We just dropped a SAN into our dmz and I've created a new network for it for it using a different subnet. The LAN itself works independently without a problem but as I try to connect the new network to our ASA 5520's I'm running into connectivity issue. I can't seem to get traffic from the dmz subnet to the san subnet. The DMZ and SAN interfaces are set to the same security level on the ASA and I have allowed same-security traffic to pass.
Can someone give me a sanity check here? I think I need an appropriate NAT entry for this to work but all of my attempts at that have yielded no progress. I've left out unrelated ACL and NAT entries and VPN config.
access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.5.0 255.255.255.0 access-list outside_access_out extended permit ip any any access-list inside_access_in extended permit ip any any pager lines 24 logging enable logging trap informational logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 mtu SAN 1500 ip local pool vpnpool 10.0.5.1-10.0.5.254 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover GigabitEthernet0/3 failover key ***** failover link failover GigabitEthernet0/3 failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2 monitor-interface outside monitor-interface inside monitor-interface management monitor-interface SAN icmp permit any outside icmp permit any inside asdm image disk0:/asdm-508.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 xx.xxx.xxx.xxx
My name is Mike and I will try to help you out, I dont see the DMZ anywhere I can see the SAN interface only. Are the DMZ and SAN on the same interface? Would the ASA do the routing for this subnets? Would you please draw us a topology for this?
Will a visio diagram suffice? I've attached our layout. I've added the lighter weigted lines to the diagram indicating what I'm trying to do.
The background colors take the place of physical connections to the appropriate LAN switch.
The DMZ, as of right now, is signified by the "inside" and "san" interfaces on the ASA config I pasted. The ASA will be doing the routing for these subnets, that's not what I wanted but it also isn't my call.
Ok so the Inside will be the DMZ and the SAN will be... well.... the SAN network, I dont see any NAT configuration, woulc you please do a packet tracer command from the DMZ to the SAN network? I will be like this
packet-tracer input inside tcp 1025 80
With this we will be able to see what is the reason for the drop.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...