Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
4
Replies

ASA ping / ASDM access over NAT VPN

Geoffrey_J
Level 1
Level 1

‎06-29-2018 07:32 AM - edited ‎02-21-2020 07:56 AM

HI,

 

i have an ASA firewall with local subnet 10.200.240.0/24

ASA interface is 10.200.240.10

 

There is a VPN tunnel between 10.253.0.0/24(remote) and 10.252.98.192/26(local nat) terminated at the ASA.

 

1-to-1 static NAT is configured between 10.252.98.192/26 and the local subnet 10.200.240.0/24 to make servers reachable, NAT is needed because of an IP conflict.

 

I cannot ping, reach asdm when coming from the 10.253.0.0/24 subnet to the asa interface 10.200.240.10. Other NAT servers are reachable.

 

Interface GigabitEthernet0/1 "LAN_backend", is up, line protocol is up
  Hardware is hv_netvsc, BW 1000 Mbps, DLY 10 usec
	Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
	Input flow control is unsupported, output flow control is unsupported
	MAC address 000d.3a2d.6b88, MTU 1500
	IP address 10.220.240.10, subnet mask 255.255.255.0

 

nat (WAN_Frontend,LAN_backend) source static 10.253.0.0 10.253.0.0 destination static 10.252.98.198 10.200.240.10
management-access LAN_backend
http 10.253.0.1 255.255.255.255 LAN_backend

 event log shows the packet is translated well, but i do not receive response.

Labels:
0 Helpful
4 Replies 4

Florin Barhala
Level 6
Level 6

‎06-29-2018 10:08 PM

This is interesting enough; I usually perform a capture on "all traffic passed by" interfaces and check traffic values. What does packet tracer says about this?
0 Helpful

Geoffrey_J
Level 1
Level 1
In response to Florin Barhala

‎07-02-2018 07:35 AM

Hi Florin,

 

i see the traffic to other servers, but not to the ASA interface.

i have selected packet capture based on ACL:

 

image.png

 

 

 

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎07-02-2018 05:24 AM

see if i get this right, from your remote site you are pinging 10.252.98.198  which translates to the real IP address of 10.200.240.10?

 

 

can you send the show nat translations output for a server that you can ping and the 10.200.24.10 interface

 

also check your acl to see if icm is allowed, it might not be a NAT issue

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Geoffrey_J
Level 1
Level 1
In response to Dennis Mink

‎07-02-2018 07:08 AM

Hi Denis,

that is correct.

 

nat translate for asa:

 

show nat translated 10.252.98.198
Manual NAT Policies (Section 1)
5 (WAN_Frontend) to (LAN_backend) source static 10.253.0.0 10.253.0.0  destination static ASA01_TranslatedIP ASA01_RealIP
    translate_hits = 4, untranslate_hits = 4

nat translate for other server:

show nat translated 10.252.98.197
Manual NAT Policies (Section 1)
4 (WAN_Frontend) to (LAN_backend) source static 10.253.0.0 10.253.0.0  destination static MGT01_TranslatedIP MGT01_RealIP
    translate_hits = 28, untranslate_hits = 28

ACL:

access-list WAN_Frontend_access_in line 1 extended permit ip 10.253.0.0 255.255.255.0 10.220.240.0 255.255.255.0 (hitcnt=0) 0xcb1ee11f

So i think nat and ACL should be fine?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card