Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat-problem with asa 5520 8.3

hi,

we upgrade our asa 5520 this weekend to release 8.3. the problem is, that i have to reach the server with ip 10.80.41.24 behind the transit-intern-interface (sec-level 100) from the www across the outside-interface (sec-level-0) over the public-ip 92.62.22.232. therefore i configure this nat-rule:

object network obj-10.80.41.24
host 10.80.41.24

object network obj-10.80.41.24
nat (transit-intern,outside) static 92.62.22.232

otherwise the server has to be reached native from the vpn-ip-users terminating on the same interface (outside)

object network transit-intern-netze
  subnet 10.80.32.0 255.255.224.0
object network remote-pool
  subnet 10.80.52.0 255.255.255.0

nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze

is there a possibility to make an config which works?

thanks for your response!

kind regards,

thomas

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: nat-problem with asa 5520 8.3

Hmm, I don't think the following will work...

nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze

If I am correct, basically you want to be able to reach 10.80.41.24 from 10.80.52.0 255.255.255.0 by using its real IP address of 10.80.41.24

What happens if you try the following and take out the rule above?

nat (transit-intern,outside) source static obj-10.80.41.24 obj-10.80.41.24 destination static remote-pool remote-pool

4 REPLIES
New Member

Re: nat-problem with asa 5520 8.3

I assume you are able to let your VPN users access the device via 10.80.41.24.

Are you saying that the following NAT is not working for you?

object network obj-10.80.41.24
host 10.80.41.24

object network obj-10.80.41.24
nat (transit-intern,outside) static 92.62.22.232

It definitely works:  (I am using "inside" instead of "transit-intern")

ASA(config)# packet-tracer input outside tcp 4.2.2.2 1025 92.62.22.232 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-10.80.41.24
nat (inside,outside) static 92.62.22.232
Additional Information:
NAT divert to egress interface inside
Untranslate 92.62.22.232/80 to 10.80.41.24/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface outside
access-list 101 extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-10.80.41.24
nat (inside,outside) static 92.62.22.232
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1259, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Send the output of "packet-tracer input outside tcp 4.2.2.2 1025 92.62.22.232 80"

Check to see if you have access-rules for this.

New Member

Re: nat-problem with asa 5520 8.3

hi mark,

you are right. this nat-rule works fine. but the nat-exclusen for the vpn-users (vpn-pool: 10.80.52.0/24) doesnt work --> error code:

5Jul 28 201017:41:5130501310.80.41.24Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.80.52.21 dst transit-intern:10.80.41.24 (type 8, code 0) denied due to NAT reverse path failure

access to other devices in the same lan (10.80.41.0/24) works fine.

it seems, that the reverse packets will be send direktly to the internet and not back to the ipsec-tunnel.

New Member

Re: nat-problem with asa 5520 8.3

Hmm, I don't think the following will work...

nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze

If I am correct, basically you want to be able to reach 10.80.41.24 from 10.80.52.0 255.255.255.0 by using its real IP address of 10.80.41.24

What happens if you try the following and take out the rule above?

nat (transit-intern,outside) source static obj-10.80.41.24 obj-10.80.41.24 destination static remote-pool remote-pool

New Member

Re: nat-problem with asa 5520 8.3

thanks august, you were right. it works!!

868
Views
0
Helpful
4
Replies
CreatePlease to create content