This configuration is beyond my understanding of Cisco natting. Actually most of it is beyond, but I set it up anyway.
We have two connections out of our building. Our internet link (named SirenTel), and a connection to the state network which is forwarded to another router in our DMZ.
I think I need a route map to fix my problem but not sure. I had everything configured and working, but nobody could get out of our second state link. So I had to add this line to the configuration: "nat (any,DMZ) after-auto source dynamic any interface"
Then the static routes to the state network started to work. Now a new problem with any devices in the DMZ, they cannot access the internet. Connections initiated from the internet are able to reach them correctly. I receive this error in the log:
"Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src DMZ:10.167.42.15/53294 dst SirenTel:18.104.22.168/53 denied due to NAT reverse path failure"
Do I need a conditional nat for that DMZ link to the state network? I need everyone on our network (multiple vlans) to be able to send through that route, so not sure how to write it.
My second, unrelated problem is with trying to ping devices outside our network. The reply gets denied due to firewall rules, but shouldn't established connections come back through? For the few devices I wanted to monitor outside my network I had to add a permit for icmp traffic from those addresses.
I am guessing that I do not need this line if I don't need to route from outside my network through my second link.
nat (outside,dmz) source dynamic any interface destination static DMZ_Subnets DMZ_Subnets
And I do not have 'inside' or 'outside' defined anywhere as an interface name. Do I need to subsitute each of my interface names for these, or can I use 'any' with that destination object group? I have 9 internal interfaces defined because of subnetting.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...