We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?
local 188.8.131.52/24 -->this will get natted to --->184.108.40.206/24 when going in for tunnel
we have created
static(outside,inside) 220.127.116.11 18.104.22.168 255.255.255.255 working
static(outside,inside) 22.214.171.124 126.96.36.199 255.255.255.255 not working, we need to check whether its hitting 188.8.131.52
Thanks for your reply. It was the typo in my question and added static nat properly with " netmask " statement. We have also added nat for nat to client but in our case we have used global nat. All other traffic to and fro in vpn is working fine. My doubt is whether in client side they have properly opened ports and configured nat correctly or not. If we capture packets for the respective traffic, we can easily corner the problem. Kindly check this and It would be really helpful if you guide me towards capturing packets.
Where are you trying to initiate the connection from?
If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.
Please share what you have configured to capture the traffic?
To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.
To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...