The problem is resolved for NAT... Now one more issue came up ie if we have an acl nonatinside for icmp permit any any in acl created for nat 0 then the inside address are not nating but as soon as we remove icmp permit acl from the nonatinside acessgroup it starts working for me.....
access-list testing extended permit ip object-group inside-users object-group mpls-destination
access-list nonatinside extended permit ip host 10.223.144.1 host 10.192.10.1
access-list nonatinside extended permit icmp any any echo
access-list nonatinside extended permit icmp any any echo-reply
Now the scenario is that we have 2 different locations. When 1 site comunicates with the other site the traffic shoudnt be batted as it goes through metroethernet. But when the inside user needs to access the traffic that is on internet it should be natted.
What happens is that the traffic for the internet host doesnt get natted... to get it natted i need to place a deny acl above the icmp acl in nonatinside for that particular internet destination. Which shouldnt happen as there is a default deny at the end of acl if the traffic doesnt match it should get nat to go outside internet host on mpls. But as soon as i remove the icmp acls from nonatinside acl everything works fine....
So my question is that is the icmp acl which is creating the problem. I know that icmp acl is not required in nonatinside acl but still as itss for icmp it shouldnt affect the ip traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...