I added a NAT exemption for a server in my DMZ for a subnet Elm and Roc
nat (Inside,Any) source static Elm Roc Elm Roc destination static DMZ-Sever DMZ-Server
About 20 minutes after adding this rule to my Firewall, clients in the Elm Subnet were disconnected from Windows server, AS/400s, DNS
The Roc sunbet was connected through a IPSec VPN tunnel through this same firewall. My Cicso Core Router 10.0.0.1 is the default gateway for devices in the Elm subnet, Cisco ASA 10.0.0.254 (this is the last resort route)
The issues were not all at once it would happen, then some stuff would work and then drop and not connect.
After I removed this NAT command (which took 4 hours to identify this was the issue) with in 15 minutes the servers, AS/400 and DNS all started working.
I am being asked to Identify why this command would cause this issue and I don't know why it did!
I guess the above NAT is not the exact format of the command you had. Mainly because you have "Elm Roc Elm Roc" as the "source" parameters. (the source static should be followed by a single object defining the real source and a single object defining the mapped source)
I would presume that the objects are actuall named something like "Elm_Roc" or "Elm-Roc" ?
What the above configuration essentially tells us
NAT is done between "Inside" and "any" interfaces. The actual interface instead of "any" will be determined by using the routing table of ASA
Any network/networks specified under "Elm Roc" are located behind "Inside" interface
Any network/networks speficied under "DMZ-Server" are located behind some interface that the above information doesnt tell us
So we would really need to know the specific configurations and routing of the ASA to determine if this configurations is the one you should have configured (though naturally it seems it wasnt the correct one)
If I would presume that you wanted to prevent any NAT for a DMZ server when the destination was some INSIDE network then I would have configured the NAT something like this
object network LAN
subnet 10.10.10.0 255.255.255.0
object network DMZ-SERVER
nat (DMZ,LAN) source static DMZ-SERVER DMZ-SERVER destination static LAN LAN
This would essentially mean that the hosts on the network 10.10.10.0/24 would be able to connect to the DMZ server with both source and destination IP address staying the same. This naturally applies for the other direction.
So to get to the bottom of this we need more specific information about the current setup (routing table, information related to the above NAT configurations actual networks/hosts addresses) and what stopped working (for example source and destination IP address)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...