Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
5
Replies

ASA 9.1 NAT configuration assistance

Jim Richards
Level 1
Level 1

‎02-24-2015 09:03 AM - edited ‎03-11-2019 10:33 PM

Hello all,

I have a problem I am having trouble solving with a NAT .  The scenario goes that I have two ASAs connected via a site-to-site VPN that has a single subnet on the branch side that contains both data and voice devices  that needs to talk to both the inside (data) and DMZ (voice) subnets at the main location.  This part I have working.  The phones are up and I am able to talk both data and phones.  The problem being is I do not manage the voice system, a different contractor does and they now have lost remote access to the voice .  I removed the following which I think was a leftover from a 8.2 to 9.2 upgrade.  That is what got the data and phones working

object network Phone_System

(voice,outside) static 74.x.x.108

 

What I am having issue with is the NAT to replace this and to allow access from the outside interface to the DMZ interface without causing problems with the site-to-site.

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.x.x.105 255.255.255.224
!
interface Vlan200
 no forward interface Vlan1
 nameif voice
 security-level 10
 ip address 172.16.200.1 255.255.255.0

 

object network Phone_System
 host 172.16.200.10

 

object network Phone_System_External
 host 74.x.x.108

 

object network LAN-G
 subnet 172.16.110.0 255.255.255.0


object network LAN-S
 subnet 172.16.100.0 255.255.255.0
object network VOICE_S
 subnet 172.16.200.0 255.255.255.0

 

object-group network Local_S
 network-object object VOICE_S
 network-object object LAN-S


object-group network Remote_G
 network-object object LAN-G


object-group network S
 network-object object LAN-S

 

object-group service Phone_Service tcp
 port-object eq 3389
 port-object eq citrix-ica
 port-object eq 2598


object-group service Phone_Service_udp udp
 port-object eq 1604

 

access-list outside_access_in extended permit tcp any object Phone_System_External object-group Phone_Service
access-list outside_access_in extended permit udp any object Phone_System_External object-group Phone_Service_udp

 

nat (inside,outside) source static Local_S Local_S destination static Remote_G Remote_G no-proxy-arp route-lookup


nat (voice,outside) source static Phone_System Phone_System destination static Phone_System_External Phone_System_External

 

Labels:
0 Helpful
5 Replies 5

rizwanr74
Level 7
Level 7

‎02-24-2015 11:07 AM

Hi Jim,

 

Try these line please.

Remove these two lines.

no access-list outside_access_in extended permit tcp any object Phone_System_External object-group Phone_Service
no access-list outside_access_in extended permit udp any object Phone_System_External object-group Phone_Service_udp

 

Apply these two lines instead.


access-list outside_access_in extended permit tcp any object Phone_System object-group Phone_Service
access-list outside_access_in extended permit udp any object Phone_System object-group Phone_Service_udp

 

Hope this helps.

Thanks

Rizwan Rafeek

0 Helpful

Jim Richards
Level 1
Level 1
In response to rizwanr74

‎02-24-2015 11:50 AM

Rizwan,

Oh how I wish it was that easy.  I had tried that ACLs in different forms before posting. I did try what you asked and still I cannot ping or RDP to the server from the outside..

 

 

0 Helpful

rizwanr74
Level 7
Level 7
In response to Jim Richards

‎02-24-2015 12:08 PM

I assume your host: 172.16.200.10 is located in the voice-dmz interface, if not you want to change to inside as "nat (inside,outside) static 74.x.x.108"

 

You must go under the parent object: "object network Phone_System" and they apply the nat statement.

 


object network Phone_System
 host 172.16.200.10
 nat (voice,outside) static 74.x.x.108

 

Can you post your whole config.

 

Hope that helps.

 

thanks

 

0 Helpful

Jim Richards
Level 1
Level 1
In response to rizwanr74

‎02-24-2015 12:54 PM

And that is where the problem is.  

When I add that static NAT to the object.  

object network Phone_System
 host 172.16.200.10 
 nat (voice,outside) static 74.x.x.108

I can ping it from the outside but I cannot ping 172.16.200.10 from the branch router so all phones loose registration because they can no longer reach the 172.16.200.10.  The 172.16.200.10 is in the DMZ or should I say 3rd VLAN.  The ASA code does not licensed to trunk so it was set up as different VLANs on different interfaces. AKA DMZ. 

 

 

 

 

 

0 Helpful

Jim Richards
Level 1
Level 1
In response to Jim Richards

‎02-24-2015 01:05 PM

I figured it out..  the return traffic was being natted back..

Added 

object network VOICE_S
 subnet 172.16.200.0 255.255.255.0

nat (voice,outside) source static VOICE_Silverkey VOICE_Silverkey destination static Remote_G Remote_G no-proxy-arp route-lookup

 

I can now ping from the tunnel and the outside.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card