Since the 8.3 release, addresses used in ACL have to be untranslated ones.
But it is not compatible with our configuration.
I explain :
We have 2 static NAT rules :
- (Static Policy) MyHost is converted to 126.96.36.199 when the destination is X
- (Static) MyHost is converted to 188.8.131.52 for all others destinations
In 8.2.2 we had an ACL which authorized ICMP from X to 184.108.40.206 (X for source and 220.127.116.11 for destination in Access Rule)
Now, in 8.4.2, we have to use MyHost instead of 18.104.22.168. (X for source and MyHost for destination in Access Rule)
The problem is that MyHost automatically corresponds to 22.214.171.124, not 126.96.36.199
So the ICMP is authorized from X to 188.8.131.52, not 184.108.40.206...
Is there any trick to bypass this ?
No in Post 8.3 configuration you only need to use real ip's rather than trranslated ip's. Could you just explauin me the complete traffic flow, like bnehind whihc interface is the soutrce from where you are pinging and behind whihc interface is the destination. If need be, I'll suggest you the natting for it.
There are two interfaces : Inside and outside
MyHost is a Network Object corresponding to 192.168.1.2.
We have two static NAT Rules :
- One which translates MyHost to 220.127.116.11 when the destination of the packet is X [ from inside to outside]
- One which translates MyHost to 18.104.22.168 no matter the destination [from inside to outside]
22.214.171.124 rule is above 126.96.36.199 one.
For the Access Rules :
On interface outside (inbounds connections) :
Permit ICMP from X to 188.8.131.52
Permit SSH from X to 184.108.40.206
Like I said in 8.4.2 we have to use MyHost instead of 220.127.116.11 in Access Rules, but MyHost automatically corresponds to 18.104.22.168 translated address.
Try this nat statement in teh same order:
nat (outside,inside) source static X X destination static obj-22.214.171.124 MyHost
nat (outside,inside) source static any any destination static obj-126.96.36.199 MyHost
After this do:
clear local-host 192.168.1.2
and then try again.