https://community.cisco.com/t5/network-security/nat-working-1-way-but-not-the-other/m-p/852325#M957927 <P>Hey guys.</P><P></P><P>I have an ASA with an outside/inside/DMZ scenario. (TMP-WAN is the DMZ)</P><P></P><P>I've got the global statements working on both the inside and outside interfaces. PAT on the outside works fine. PAT is also on the inside interface as there are a number of other networks that go through the inside interface (another router on the inside lan nwith networks behind it) That also works fine.</P><P></P><P>I have added static NAT statements for the TMP-WAN interface, i can reach every network out that interface, but not the other way around. I get Deny TCP no connection inbound on TMP-WAN errors. I also get TCP reset-O errors immediately back. Here is the config (attached)</P><P></P><P>Any insight would be greatly appreciated. I've tried adding another static NAT rule reversing inside and TMP-WAN but to no avail. thinking there was no translation rule coming back in, but it didn't seem to work or i didn't get the syntax correct. Any help would be great..</P><P></P><P></P><P></P><P> </P><P></P> Wed, 13 Mar 2019 00:55:23 GMT matthew.elliott 2019-03-13T00:55:23Z https://community.cisco.com/t5/network-security/nat-working-1-way-but-not-the-other/m-p/852325#M957927 <P>Hey guys.</P><P></P><P>I have an ASA with an outside/inside/DMZ scenario. (TMP-WAN is the DMZ)</P><P></P><P>I've got the global statements working on both the inside and outside interfaces. PAT on the outside works fine. PAT is also on the inside interface as there are a number of other networks that go through the inside interface (another router on the inside lan nwith networks behind it) That also works fine.</P><P></P><P>I have added static NAT statements for the TMP-WAN interface, i can reach every network out that interface, but not the other way around. I get Deny TCP no connection inbound on TMP-WAN errors. I also get TCP reset-O errors immediately back. Here is the config (attached)</P><P></P><P>Any insight would be greatly appreciated. I've tried adding another static NAT rule reversing inside and TMP-WAN but to no avail. thinking there was no translation rule coming back in, but it didn't seem to work or i didn't get the syntax correct. Any help would be great..</P><P></P><P></P><P></P><P> </P><P></P> Wed, 13 Mar 2019 00:55:23 GMT https://community.cisco.com/t5/network-security/nat-working-1-way-but-not-the-other/m-p/852325#M957927 matthew.elliott 2019-03-13T00:55:23Z https://community.cisco.com/t5/network-security/nat-working-1-way-but-not-the-other/m-p/852326#M957931 <HTML><HEAD></HEAD><BODY><P>I'm not sure if you need all networks on INSIDE and TMP-WAN to communicate but go ahead and edit this as needed.</P><P></P><P>no static (TMP-WAN,inside) 10.216.32.0 10.216.32.0 netmask 255.255.255.0 </P><P></P><P>object-group network TMP-WAN</P><P> network-object 10.216.24.0 255.255.255.0</P><P> network-object 10.216.28.0 255.255.255.0</P><P> network-object 10.216.32.0 255.255.255.0</P><P> network-object 10.224.0.0 255.248.0.0</P><P> network-object 10.216.24.0 255.255.255.0</P><P> network-object 10.216.2.0 255.255.255.252</P><P> network-object 10.216.28.0 255.255.255.0</P><P> network-object 10.216.32.0 255.255.255.0</P><P></P><P>object-group network INSIDE</P><P> network-object 10.216.132.0 255.255.255.0</P><P> network-object 10.216.136.0 255.255.255.0</P><P> network-object 10.216.140.0 255.255.255.0</P><P> network-object 10.216.20.0 255.255.255.0</P><P> network-object 10.216.16.0 255.255.255.0</P><P> network-object 10.216.14.0 255.255.255.0</P><P> network-object 10.216.1.0 255.255.255.0</P><P> network-object 10.216.69.0 255.255.255.0</P><P> network-object 10.216.10.0 255.255.255.0</P><P></P><P>access-list INSIDE-TO-TMP-WAN permit ip object-group INSIDE object-group TMP-WAN</P><P></P><P>nat (inside) 0 access-list INSIDE-TO-TMP-WAN</P><P></P><P>access-list TMP-WAN_nat0_outbound permit ip object-group TMP-WAN object-group INSIDE</P><P></P><P>clear xlate</P><P></P></BODY></HTML> Fri, 28 Dec 2007 18:03:24 GMT https://community.cisco.com/t5/network-security/nat-working-1-way-but-not-the-other/m-p/852326#M957931 palomoj 2007-12-28T18:03:24Z https://community.cisco.com/t5/network-security/nat-working-1-way-but-not-the-other/m-p/852327#M957936 <HTML><HEAD></HEAD><BODY><P>One thing to add you can clean up your config by doing dynamic routing either ospf or eigrp with the inside router and the ASA.</P></BODY></HTML> Sat, 29 Dec 2007 16:14:36 GMT https://community.cisco.com/t5/network-security/nat-working-1-way-but-not-the-other/m-p/852327#M957936 bob.bartlett 2007-12-29T16:14:36Z