Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT on Cisco ASA 5550 v8.3(2)

Not very familiar with ASA and NAT'ing in general so hopefully, this will make sense.

I've created a Site-to-Site IPSec VPN tunnel with one of our clients (who uses a PIX).  The remote user can connect to our local, private LAN servers without a problem.  However, when the remote user tries to connect to servers on our corporate network (which is linked over WAN routers from LA to Dallas) they cant get through.

When I run Packet Trace in ASDM on our ASA all is well until the packet attempts to traverse from the Inside interface back through the Outside interface (back to the remote client side of the VPN tunnel).

I see the following "error" within the Packet Trace tool;

-----------------------------------------------------------------------------------------

Type - NAT    Subtype - rpf-check    Action - DROP

Config

object network obj_any

nat (inside,outside) dynamic interface

-------------------------------------------------------------------------------------------

I've attached my ASA config.  The remote client-side address is 74.8.221.195, its being PAT'd to 172.30.12.75 and the remote host/network its not able to reach is 172.30.101.20 ( /24 net mask).  The local segment in my LA network is 172.30.12.0/22 and the servers in this network are all able to communicate with the remote client-side user at 74.8.221.195.

This seems simple, so I'm sure my lack of knowledge is the main ingredient here.  Any help would be greatly appreciated.  as previously stated, I've attached a .txt file of my ASA config.

2 REPLIES

NAT on Cisco ASA 5550 v8.3(2)

Hi,

nat (inside,outside) source static alb-net1 alb-net1 destination static obj-74.8.221.195 obj-74.8.221.195

!

object network alb-net1

subnet 172.30.12.0 255.255.252.0

description Created during name migration  object network alb-net1
!

172.30.12.0 255.255.252.0 does not cover the subnet 172.30.101.20. Also, make sure your corp n/w routers have route to the remote network.

hth

MS

New Member

NAT on Cisco ASA 5550 v8.3(2)

This ended up being a Crypto Map issue.

408
Views
0
Helpful
2
Replies
CreatePlease to create content