topic ASA NAT problem? in Network Security

ASA NAT problem?

cmpiontek — Mon, 11 Mar 2019 11:01:40 GMT

I have two interfaces that I am trying to communicate. VPNaccess is security level 100 and DMZ-50 is a SL50. Default rules. Below are the NATs currently in place. When I try to ping 172.16.50.21 I get the following 305005 No translation group for icmp src VPNaccess:CyndiWS dst DMZ-50:syslog1.

when I try to ping 10.11.2.121 - nothing

TAC told me to put in 'static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0'

that didn't work either.

Any ideas?

interface Ethernet0/2

description vpn access for technicians

nameif VPNaccess

security-level 100

ip address 10.11.2.111 255.255.255.0

interface Ethernet0/3

description Logging servers

nameif DMZ-50

security-level 50

ip address 172.16.50.1 255.255.255.0

name 172.16.50.21 syslog1

name 10.31.103.86 CyndiWS

nat-control

global (outside) 15 66.x.x.190 netmask 255.255.255.255

global (inside) 5 172.16.11.190 netmask 255.255.255.255

global (VPNaccess) 10 10.11.2.120 netmask 255.255.255.255

global (DMZ-50) 20 172.16.50.2 netmask 255.255.255.255

static (DMZ-50,outside) 66.x.x.132 inspector netmask 255.255.255.255

static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255

static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Re: ASA NAT problem?

rigoberto.cintron — Thu, 23 Aug 2007 13:38:50 GMT

Try using this static instead of the one the TAC told you:

static (VPNaccess,DMZ-50) 10.11.2.0 10.11.2.0

Re: ASA NAT problem?

acomiskey — Thu, 23 Aug 2007 13:54:25 GMT

That's not the problem. 10.0.0.0/8 and 10.11.2.0/16 would both include the inside host in question.

The problem is you have a destination nat for the host you are pinging in the dmz.

static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255

To ping syslog1 via it's dmz address (172.16.50.21) you would have to remove that destination nat.

Otherwise you have to ping it by 10.11.2.121.

The static that TAC gave you will allow you to ping any other dmz address.

Please rate helpfulp posts.

Re: ASA NAT problem?

cmpiontek — Thu, 23 Aug 2007 14:09:34 GMT

OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works.

I put the static back in and ping 10.11.2.121 and the packet doesn't go through. I have scopes on both sides and it is never presented in the DMZ. Should it work that way?

Re: ASA NAT problem?

acomiskey — Thu, 23 Aug 2007 14:17:46 GMT

"OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works."

-Good.

"I put the static back in and ping 10.11.2.121 and the packet doesn't go through."

-Did you try a clear xlate?

"I have scopes on both sides and it is never presented in the DMZ. Should it work that way?"

-Could you explain what you mean?

Re: ASA NAT problem?

hsajwan — Thu, 23 Aug 2007 20:01:57 GMT

Make sure 10.11.2.121 is not used by any machine in vpnaccess interface. 10.11.2.121 has to be a free public IP address, otherwise when you try to ping 10.11.2.121, the packets may go to the actual machine rather than going to the PIX.

If if it is indeed a free IP address, then do "debug icmp trace" or collect syslogs as you try to ping 10.11.2.121 and see if the ICMP requests are even reaching the PIX or not.