Hi Brian

Run "clear xlate" after applying NAT statements.

Please post your full sanitized config and let us see.

Regards

Hrm, are you running ASA 7.2.x or higher? packet-tracer is only supported on 7.2(1) and later?

Regards

Farrukh

the OP is running 7.0(7).

he needs to post a sanitized config at this point so we can see everythign that's going on.

ASA# sh run

: Saved

:

ASA Version 7.0(7)

!

hostname ASA

domain-name abc.com

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 123.123.123.2 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.19.20.40 255.255.255.0

!

interface Ethernet0/2

nameif insidevoice

security-level 100

ip address 172.19.21.40 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

access-list outside_access_in extended permit icmp any any

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0

access-list to1 extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list to2 extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0

access-list to3 extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0

access-list to4 extended permit ip 172.19.20.0 255.255.255.0 172.19.200.0 255.255.255.0

access-list to5 extended permit ip 172.19.200.0 255.255.255.0 172.19.20.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu insidevoice 1500

ip local pool vpnip 172.19.200.10-172.19.200.250

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (insidevoice) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 123.123.123.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server VPNAuth protocol radius

aaa-server VPNAuth host 172.19.20.250

key xxxxx

group-policy ABC internal

group-policy ABC attributes

dns-server value 172.19.20.250

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ST

default-domain value ABC.local

webvpn

http server enable

http 0.0.0.0 0.0.0.0 outside

http 172.19.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 172.19.20.0 255.255.255.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect tftp

!

service-policy global_policy global

: end

ASA#

put a nat 0 statement on insidevoice using an ACL, which will match traffic going from insidevoice to inside.

and if you want to ping, either create ACL's to allow echo/echo reply, or add icmp inspection.

can you post the sample config to be added? so that i could try it out... thank you very much

got this error again:

ASA(config)# access-list nat0_acl permit 172.19.21.0 255.255.255.0 172.19.$

access-list nat0_acl permit 172.19.21.0 255.255.255.0 172.19.20.0 255.255.255.0

^

ERROR: % Invalid input detected at '^' marker.

sorry of being such a pain in the @$%#$^% :) thanks man

You need to use "permit ip" :)

Regards

Farrukh

woops..

i was just testing him..yeah that's it. it was a test.

I don't care if it was a test or not... the thing is that it's working hehehe

it is now working! THANK YOU VERY MUCH GUYS!

Here is what I think :)

If you have an exempt NAT statement applied to interface inside and contains source as inside and destination as dmz, this effects traffic originated from both inside and dmz. I mean once you apply correct exempt NAT to inside that will take care of bot inside->dmz and dmz->inside. You dont need one applied to dmz.

Then how did it resolve the issue? Here are my theories.

1) Brian was testing the connectivity with ping which is not a good way when it is a firewall device that sees ICMP a possible dos attack and denies by default. And brian's outside_access_in ACL which permits ICMP was not applied to outside interface with access-group command. ICMP inspection did the trick. But this theory can not explain the translation error logs

2) Brian was hitting CSCsd90140 or another one which prevented inside exempt nat to operate correctly. An exempt nat applied to dmz interface, which is actually not necessary under normal circumstances, did operate normally and did what inside exempt nat couldnt.

Any thoughts?

But glad that issue is resolved.

I posted this earlier:

By default, you do not need to do NAT between same-security level interfaces, even if nat-control is enabled.

however, you do need to configure nat rules if you define dynamic NAT for either of the same-security level interfaces.

that problem was the nat (insidevoice) 1 statement...which was needed..because of that, you need nat 0 statements on both itnerfaces. and yes, icmp is not good for testing, unless you've allowed it through the firewall.