Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

traffic between same sec-level interfaces on ASA and NAT issue

Hi,

I'm having a little problem with getting traffic to flow out of a 3rd interface on my cisco ASA.

I have my networks set up like this.

inside (sec-100)- internal lan

outside(sec-0)- public / internet

WAN (sec-100) - ethernet link to MPLS network to remote offices (ISP assinged private address)

Ok so i'm getting confused with my NAT rules here. The routing is fine. The IP scheme of the network is as follows.

10.216.12.x /24 - inside

203.x.x.x /30 - outside

10.226.x.x /30 -WAN

(MPLS NETWORK)

10.226.x.x /30 - WAN interface at remote sites

inside interfaces at remote sites 10.216.x.0 /24 (x being different numbers) each router has static routes (10.216.x.0 /24) to each othes WAN interface.

All sites can route between one another fine.

I can ping from the ASA out of the WAN interface to any device, although when trying to make connections to hosts using VNC for example, i will see these debug errors.

6 Dec 17 2007 16:09:01 305011 10.216.12.145 10.224.33.146 Built dynamic TCP translation from inside:10.216.12.145/2598 to TMP-WAN(inside_nat_outbound):10.224.33.146/1027

6 Dec 17 2007 16:09:01 302013 10.216.12.145 10.216.32.101 Built inbound TCP connection 663 for inside:10.216.12.145/2598 (10.224.33.146/1027) to TMP-WAN:10.216.32.101/5900 (10.216.32.101/5900)

6 Dec 17 2007 16:09:06 305012 10.216.12.145 10.216.12.222 Teardown dynamic TCP translation from inside:10.216.12.145/2596 to inside(inside_nat_outbound):10.216.12.222/1134 duration 0:01:00

6 Dec 17 2007 16:09:06 305012 10.216.12.145 10.216.12.222 Teardown dynamic TCP translation from inside:10.216.12.145/2597 to inside(inside_nat_outbound):10.216.12.222/1135 duration 0:01:00

I am guessing a NAT issue. Can someone clarify what NAT rules i should have on the 3 interfaces and show examples because i really suck with NAT commands and get confused easily.

I used ASDM to set this router up, and now there's a bunch of random ACLs i can see in the config which i am not sure what they are doing there. Here is relevant config, can someone please advise what could be stopping traffic across the WAN link (but allowing ping)?

note: 10.216.132.x 136.x and 140.x are site to site VPNs if anyone is wondering why they are in there.

ANY INSIGHT would be greatly appreciated.

Thanks.

354
Views
0
Helpful
0
Replies
CreatePlease to create content