02-08-2011 04:13 AM - edited 03-11-2019 12:46 PM
Hello,
I am working on a issue with the ASA 8.3(1).
The issue is i have VPN client users connecting to the outside interface. Once they connect they are given an ip range. Now once they connect the VPN there is another interface in the same ASA DMZ. They aren't able to access the DMZ server. I am posting the related NAT configuration , output from Packettracer and the log outputs.
NAT config
nat (outside,dmz1) source static CiscoVPNClient CiscoVPNClient destination static obj-192.165.204.128 obj-192.165.204.128
object network RISTKFTP302
nat (dmz1,outside) static RISTKFTP302
object network obj_any-04
nat (dmz1,outside) dynamic obj-0.0.0.0
Solved! Go to Solution.
02-08-2011 12:08 PM
Hello,
Have a look at this document, it should help you find the asymmetric rules:
https://supportforums.cisco.com/docs/DOC-12569
If not, please post a sanitized copy of your NAT configuration ('show run object' and 'show run nat') so we can help you find the overlap.
Hope that helps.
-Mike
02-08-2011 04:57 AM
Try to change the following:
FROM:
nat (outside,dmz1) source static CiscoVPNClient CiscoVPNClient destination static obj-192.165.204.128 obj-192.165.204.128
TO:
nat (dmz1,outside) source static obj-192.165.204.128 obj-192.165.204.128 destination static CiscoVPNClient CiscoVPNClient
Then "clear xlate" after the changes.
02-08-2011 05:28 AM
Hi Jenni,
Thanks for your reply.
But that too ddnt worked. I have tried with both the NAT in place and just one. Still no luck.
Here is the packet tracer output.
packet-tracer input outside tcp 172.31.200.18 1025 192.165.204.181 $
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacbf9200, priority=1, domain=permit, deny=false
hits=854450352, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip host 172.31.200.18 host 192.165.204.181
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf9685b0, priority=13, domain=permit, deny=false
hits=20, user_data=0xa907ad00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.31.200.18, mask=255.255.255.255, port=0
dst ip/id=RISTKFTP302, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacc839d0, priority=0, domain=inspect-ip-options, deny=true
hits=6280524, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacd277f0, priority=20, domain=lu, deny=false
hits=222257, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad757fb8, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=4898371, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (dmz1,outside) source static obj-192.165.204.128 obj-192.165.204.128 destination static CiscoVPNClient CiscoVPNClient
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaee8d2e8, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0xafc5adf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.31.200.0, mask=255.255.252.0, port=0
dst ip/id=192.165.204.128, mask=255.255.255.192, port=0, dscp=0x0
input_ifc=outside, output_ifc=dmz1
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-08-2011 12:08 PM
Hello,
Have a look at this document, it should help you find the asymmetric rules:
https://supportforums.cisco.com/docs/DOC-12569
If not, please post a sanitized copy of your NAT configuration ('show run object' and 'show run nat') so we can help you find the overlap.
Hope that helps.
-Mike
02-08-2011 10:37 PM
Hi There,
Now words to thank you. I never knew about this behaviour of NAT in ASA.
Here is the culprit
nat (inside,any) source static any any destination static CiscoVPNClient CiscoVPNClient
I made it inactive. It works fine now. Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide