When connecting from a.a.0.0 net to v.v.v.0 net natting occurs as expected (Good)
When connecting from a.b.0.0 net to v.v.v.0 net natting occurs as expected (Good)
When connecting from y.y.y.0 net to z.z.z.0 net no natting occurs as expected (Good)
When connecting from a.a.0.0 net to z.z.z.0 net no natting occurs as expected (Good)
When connecting from a.b.0.0 net to z.z.z.0 net no natting does not occur as expected. When attempting this connection I get the following error messages in logfile (Not Good):
%PIX-6-302013: Built outbound TCP connection XXXXX for dmz:z.z.z.100/<dport> (z.z.z.100/<dport>) to inside:a.b.0.100/<sport> (a.b.0.100/<sport>)
%PIX-3-106011: Deny inbound (No xlate) tcp src inside:z.z.z.100/<dport> dst inside:a.b.0.100/<sport>
%PIX-6-302014: Teardown TCP connection XXXXX for dmz:z.z.z.100/<dport> to inside:a.b.0.100/<sport> duration 0:02:01 bytes 0 SYN Timeout
What is questionable about this to me is that on the "Deny inbound" message the src and dst are listed as inside, when I expect to see the src defined as dmz and the dst as inside. While the other related messages seem to be correct.
In any case, I cannot establish connections from between these two networks, but the a.a.0.0 network works flawlessly.
tcpdump shows the traffic reaching the correct network, but it seems that the 3WH never completes (hence the SYN Tiemout).
Nat 0 forces nat to not occur for ttraffic defines by the ACL.
You are correct. IT turned out to be a routing issue. The next hop internal router did not have the correct routes, which was causing the traffic to get re-routed to the PIX. The PIX being the default router for the next hop internal router.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...