Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
5
Helpful
2
Replies

ASA route-map with nat issue

Mohammed Al-odhari
Level 4
Level 4

‎02-21-2018 10:07 AM - edited ‎02-21-2020 07:23 AM

Hi all,

am having 2 issues as below:

am having asa 5508-X  ver 9.8, some of the Lan users have to reach internet via outside (OK) interface and some via dmz2(not OK).

Default route is via outside port.

Lan users that go via outside port are determind object-group network LAN-USERS.

 

My issue is with the users that determined with satellite access list as attached in the configuration.

Their GW is determined with route-map in addition to the below nat

nat (inside,dmz2) dynamic interface

also i used nat (inside,dmz2) soure static SAT-USERS interface

they cannot reach internet?????????

!

my second issue is:

dspite i configure arp for LAN-USERS as shown in the config, it has no infuence.

I want only the users configured in the object-group network LAN-USERS list in addition to their mac address to access internet via outside port.

 

hope the above issues are clear and you can help

regards,

Labels:
Preview file
4 KB
0 Helpful
2 Replies 2

Ajay Saini
Level 7
Level 7

‎02-22-2018 02:19 AM

Hello,

 

A couple of things we need to fix to start:

1. we need a less preferred route for the dmz2 interface so that traffic can leave the dmz2 interface upon the PBR lookup.

 

route dmz2 0.0.0.0 0.0.0.0 x.x.x.x 254

 

2. The static NAT statement below is incorrect because you are trying to statically map multiple source to a specific destination ip address. Either make it dynamic instead of static or define as many destination ip addresses as the source

nat (inside,outside) source static LAN-USERS obj-192.168.0.3

 

3. I don't think you would require static arp entries, you can remove as per my opinion.

 

Once the above changes are done, try to run a packet-tracer or take syslogs so that we can see where this is failing.

 

 

HTH

AJ

Mohammed Al-odhari
Level 4
Level 4
In response to Ajay Saini

‎02-22-2018 12:09 PM

Thanks alot Ajay for replaying,

as per the config, Two interfaces has to reach internet, outside and dmz2.

For dmz2,so i want only to add less preferred route as you said in addition to this nat ( nat (inside,dmz2) dynamic interface or  nat (inside,dmz2) soure static SAT-USERS interface ) ????

2- for outside, change nat to--> nat (inside,outside) dynamic interface as you suggest or define many destination ip addresses you mean under the obj-192.168.0.3???

3- i dont get your below point three.

i have many hosts defined under object-group network LAN-USERS, about 100 users, to reach the normal default route, is it possible in asa that for this list- mac address must be checked, i mean ,hosts that defined under the LAN-USERS list is to be blocked from internet until their mac addresses is checked?????

 

thanks for cooperation and will wait for your answers

 

regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card