topic Static policy nat problem in Network Security

Static policy nat problem

the-kamikaze — Tue, 12 Mar 2019 00:52:28 GMT

Hi All

I have an issue where I am trying to nat the ip address of a server on my inside network "only" when connecting to a server at the other end of a vpn.

I have come up with the config below, and this works fine outbound, vpn is up and I can initiate connecections to the remote server and it is natted, and if I connect to a public address it translates to the interface as it should.

However if the remote server tries to connect to the inside server on the nat address, it doesn't work. Now at the moment I'm not sure if its because I've misconfigured my end or the 3rd party has misconfigured their end (I've no access to their config).

Should the nat config below translate in both directions? or do I need to do anything else? I'd really appreciate confirmation that the below is correct/incorrect.

ASA 5520 Software Version 8.4(4)1

inside server:- 192.168.3.81

inside server nat:- 172.20.0.1

remote server:- 10.149.1.31

object network obj-sql06

host 192.168.3.81

description server on insde network

object network obj-s-nat-source-address-for-sql06-to-saffron-server

host 172.20.0.1

description nat address used when connecting to remote Server

object network obj-s-nat-saffron-server

host 10.149.1.31

description remote server address

nat (inside,outside) source static obj-sql06 obj-s-nat-source-address-for-sql06-to-saffron-server destination static obj-s-nat-saffron-server obj-s-nat-saffron-server

Regards

Chris

Static policy nat problem

Michal Garcarz — Fri, 25 Jan 2013 17:11:56 GMT

Yes, that rule is bidirectional - you do not need to configure any more nat.

Did you try to capture received traffic ? Maybe on the other site when remote server initiating connection traffic is leaving untranslated or translated to different IP than you expect (obj-s-nat-saffron-server) ?

What do you see in logs ?

---

Michal

Static policy nat problem

the-kamikaze — Fri, 25 Jan 2013 17:18:17 GMT

Thanks for that, I'll have to do some more investigtation. They aren't doing any nat translation at their end (I hope)

The bloke at the other end had to dash off, so we are going to do some more testing monday, I was just worried it was the nat at my end, but if its bidirectional then it shouldn't be, so that sets my mind at rest.

Hopefully they've just got a rule wrong somewhere, and will be easily fixed, routing should be ok as i get replies when I ping the saffron server

I shall let you know how I get on.

Static policy nat problem

the-kamikaze — Tue, 29 Jan 2013 16:48:32 GMT

Got it working. Not quite sure why it wasn't in the first place but removeing the nat config and reinstating it fixed it. The bloke at the other end swears he never changed anything as well.

Thanks very much for your help.