https://community.cisco.com/t5/network-security/nat-problem/m-p/1098478#M893370 <HTML><HEAD></HEAD><BODY><P>This is the correct remote site before i used examples of ip addresses.</P></BODY></HTML> Wed, 19 Nov 2008 12:56:25 GMT michalis1234 2008-11-19T12:56:25Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098470#M893336 <P>Hi, I have a problem i have a server (10.20.2.20) on the dmz1 interface of a remote site, but i can not access it from the inside interface. I have posted all the nat rules configured on the firewall asa 5510 7.2 ver. Thus remote ite is connected to our hq with site to site vpn. Hence 10.20.1.0 network must be on the nat 0 rule but how will the inside 10.20.1.0 access 10.20.2.0 network and at the same time our hq through the vpn?</P><P>Thank you...</P><P></P><P></P><P>access-list test extended permit ip any any </P><P></P><P>nat-control</P><P></P><P>global (outside) 1 interface</P><P></P><P>nat (inside) 0 access-list test</P><P>nat (inside) 1 10.20.1.0 255.255.255.0</P><P></P><P>static (inside,outside) tcp 192.168.1.2 https 10.20.1.240 https netmask 255.255.255.255 </P><P>static (inside,outside) tcp 192.168.1.2 www 10.20.1.240 www netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.20.1.20 10.20.1.20 netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.20.1.21 10.20.1.21 netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.20.1.22 10.20.1.22 netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.20.1.23 10.20.1.23 netmask 255.255.255.255 </P><P></P><P>access-group OUTSIDE in interface outside</P><P>access-group INSIDE in interface inside</P><P>access-group DMZ1 in interface dmz1</P> Mon, 11 Mar 2019 14:15:07 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098470#M893336 michalis1234 2019-03-11T14:15:07Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098471#M893342 <HTML><HEAD></HEAD><BODY><P>Is the config you posted for the HQ or remote site, as you state "Hi, I have a problem i have a server (10.20.2.20) on the dmz1" but the config states "static (inside,dmz1) 10.20.1.20 10.20.1.20 netmask 255.255.255.255"</P><P></P><P>Differenet 3rd octets??</P></BODY></HTML> Wed, 19 Nov 2008 10:44:42 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098471#M893342 andrew.prince 2008-11-19T10:44:42Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098472#M893347 <HTML><HEAD></HEAD><BODY><P>The config is for the remote site,</P><P>I have tried as well the statement</P><P>static (inside,dmz1) 10.20.2.20 10.20.2.20 netmask 255.255.255.255</P><P>But it does not work!!!</P></BODY></HTML> Wed, 19 Nov 2008 11:45:09 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098472#M893347 michalis1234 2008-11-19T11:45:09Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098473#M893350 <HTML><HEAD></HEAD><BODY><P>Firstly</P><P></P><P></P><P>1) You nat statements look the wrong way around, change to:-</P><P></P><P>static (dmz1,inside) 10.20.2.20 10.20.2.20 netmask 255.255.255.255</P><P></P><P>2) What is the IP subnet of the HQ site?</P><P>3) You have to make sure the remote DMZ IP subnet is in the VPN encryption domains</P><P>4) You have to make sure the remote DMZ IP subnet is in the no-nat VPN statements.</P><P></P><P></P><P>Check the above.</P><P></P><P><HTH></HTH></P></BODY></HTML> Wed, 19 Nov 2008 11:48:54 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098473#M893350 andrew.prince 2008-11-19T11:48:54Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098474#M893352 <HTML><HEAD></HEAD><BODY><P>1) i did it.</P><P>2) 192.x.x.x is the ip addressing of the hq site.</P><P>3)?</P><P>4) i did that as well</P><P>it did not work.</P><P></P></BODY></HTML> Wed, 19 Nov 2008 12:11:47 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098474#M893352 michalis1234 2008-11-19T12:11:47Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098475#M893357 <HTML><HEAD></HEAD><BODY><P>Can you post the full config for review - remove sensitive information.</P></BODY></HTML> Wed, 19 Nov 2008 12:17:32 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098475#M893357 andrew.prince 2008-11-19T12:17:32Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098476#M893361 <HTML><HEAD></HEAD><BODY><P></P><P>!</P><P>interface Ethernet0/0</P><P> 'outside' vlan port</P><P> nameif outside</P><P> security-level 0</P><P> ip address x.x.x.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1</P><P> 'inside' vlan port</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.8.1.254 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> vlan port</P><P> nameif dmz1</P><P> security-level 50</P><P> ip address 10.8.2.253 255.255.255.0 </P><P></P><P></P><P>access-list inside_nat0_outbound extended permit ip any 10.8.10.0 255.255.255.128 </P><P>access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 10.8.1.0 255.255.255.0 10.8.10.0 255.255.255.128 </P><P>access-list inside_nat0_outbound extended permit ip object-group Local-Network object-group xxxxxk </P><P>access-list inside_nat0_outbound extended permit ip 10.8.1.0 255.255.255.0 10.8.2.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip any 192.168.121.0 255.255.255.0 </P><P> </P><P>access-list outside_access_in extended permit icmp any any </P><P>access-list outside_access_in extended permit tcp any object-group SMTP-HTTPS-HTTP host 192.168.1.2 </P><P>access-list outside_cryptomap_20 extended permit ip object-group Local-Network object-group xxxxx </P><P>access-list outside_cryptomap_20 extended permit ip object-group Local-Network host x.x.x.1 </P><P>access-list dmz1_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0 </P><P>access-list inside_nat0_outbound_dyn_vpn extended permit ip 10.8.1.0 255.255.255.0 10.8.10.0 255.255.255.0 </P><P>access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.239 </P><P>access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.240 </P><P>access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.236 </P><P>access-list DMZ1_INSIDE extended permit ip host 10.8.2.250 host 10.8.1.237 </P><P>access-list OUTSIDE_IN extended permit tcp any any eq smtp </P><P>access-list OUTSIDE_IN extended permit tcp any any eq https </P><P>access-list OUTSIDE_IN extended permit tcp any any eq www </P><P>access-list OUTSIDE_IN extended permit tcp any any eq 1801 </P><P>access-list OUTSIDE_IN extended permit ip host x.x.x.x any </P><P>access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.236 any </P><P>access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.237 any </P><P>access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.240 any </P><P>access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.4 any </P><P>access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.156 any </P><P>access-list INSIDE_ACCESS_IN extended deny tcp any any eq smtp </P><P>access-list INSIDE_ACCESS_IN extended permit ip any any </P><P>access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.200 any </P><P>access-list INSIDE_ACCESS_IN extended permit ip host 10.8.1.239 host 10.8.2.250 log </P><P>access-list xxxxx extended permit ip any any </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging monitor debugging</P><P>logging trap informational</P><P>logging asdm informational</P><P>logging host outside x.x.x.x</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu dmz1 1500</P><P>mtu management 1500</P><P></P><P>icmp permit any outside</P><P>asdm image disk0:/asdm512-k8.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list xxxxx</P><P>nat (inside) 1 10.8.1.0 255.255.255.0</P><P>static (inside,outside) tcp 192.168.1.2 https 10.8.1.240 https netmask 255.255.255.255 </P><P>static (inside,outside) tcp 192.168.1.2 www 10.8.1.240 www netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.8.1.239 10.8.1.239 netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.8.1.240 10.8.1.240 netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.8.1.236 10.8.1.236 netmask 255.255.255.255 </P><P>static (inside,dmz1) 10.8.1.237 10.8.1.237 netmask 255.255.255.255 </P><P>access-group OUTSIDE_IN in interface outside</P><P>access-group INSIDE_ACCESS_IN in interface inside</P><P>access-group DMZ1_INSIDE in interface dmz1</P></BODY></HTML> Wed, 19 Nov 2008 12:37:01 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098476#M893361 michalis1234 2008-11-19T12:37:01Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098477#M893365 <HTML><HEAD></HEAD><BODY><P>what config is this, the dmz IP range is 10.8.x.x not 10.20.x.x and there is not 192.168 ??</P><P></P><P>Which site is this?</P></BODY></HTML> Wed, 19 Nov 2008 12:53:55 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098477#M893365 andrew.prince 2008-11-19T12:53:55Z https://community.cisco.com/t5/network-security/nat-problem/m-p/1098478#M893370 <HTML><HEAD></HEAD><BODY><P>This is the correct remote site before i used examples of ip addresses.</P></BODY></HTML> Wed, 19 Nov 2008 12:56:25 GMT https://community.cisco.com/t5/network-security/nat-problem/m-p/1098478#M893370 michalis1234 2008-11-19T12:56:25Z