09-04-2021 05:49 PM
I believe that this is NAT issue. The issue is from the inside, when I try to ping or access anything in my DMZ1 or RA subnet it is send to the outside interface. I have confirmed this by doing tracert for 144.168.0.x and 124.140.0.x two other foreign companies networked devices.
I want to be able to send traffic to my DMZ1 and VPN subnet from my inside. The RA VPN client can ping my inside devices but can't see anything in the DMZ1(because its going to the outside as well). From the ASA CLI I can ping the RA VPN clients and anything on the DMZ. DMZ1 has access to Outside\internet.
How can I correct this issue, my guess I need a NAT rule to determine the egress interface or some use the ASA the routing table. I', not sure how it should like, so if you could provide the commands that would be helpful. Thank you
object network DukeLAN
subnet 144.244.244.0 255.255.255.0
description Inside Network
object network DMZ1-Network
subnet 144.168.0.0 255.255.255.0
description DMZ1
object network Obj-Remote-IPSEC-VPN
subnet 124.140.1.0 255.255.255.0
description RA VPN subnet
Current NAT's (some will be removed due to no hits):
nat (outside,outside) source dynamic DMZ1-Network interface description Allow VPN Access from the Outside
nat (any,any) source static DukeLAN DukeLAN destination static DukeLAN DukeLAN no-proxy-arp description Allow inside traffic to go anywhere
nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For Inside VPN Split tunnel
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For DMZ VPN Split tunnel
nat (any,outside) source dynamic Obj-Remote-IPSEC-VPN interface description NAT Rule for VPN Clients
nat (dmz1,inside) source static any any destination static DukeLAN DukeLAN no-proxy-arp route-lookup description Allow access for DukeLAN to DMZ1
nat (dmz1,outside) source static any any destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description Allow access for VPN to DMZ1
nat (inside,outside) source static any any destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description Allow access for VPN to Inside?
Solved! Go to Solution.
09-05-2021 09:25 AM
I couldn't seem to get RA VPN to talk to DMZ1 even after adding this NAT:
nat (Outside,DMZ1) after-auto source static Obj-Remote-IPSEC-VPN DMZ1-Network destination static DMZ1-Network DMZ1-Network no-proxy-arp
Traffic keeps going to the outside
Then I remember to turn off split tunnel for RA VPN client. Now its using the correct interface to access the DMZ1
09-04-2021 06:57 PM
09-04-2021 08:26 PM
Hi Mohammed,
Thanks for taking a look.
Egress route is still going to the outside. I can't remove route-lookup from the 4th NAT rule it breaks the ablility to ping the inside network from RA Client. The first two NAT rules are the dynamic rules that you ask for.
Current NATS:
nat (inside,outside) source dynamic DukeLAN interface description Allow Inside Access to the Outside
nat (dmz1,outside) source dynamic DMZ1-Network interface description Allow DMZ1 Access to the Outside
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN description For DMZ VPN Split tunnel
nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel
nat (dmz1,inside) source static any any destination static DukeLAN DukeLAN description Allow access for DukeLAN to DMZ1
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic DukeLAN interface description Allow Inside Access to the Outside
translate_hits = 7631, untranslate_hits = 681
Source - Origin: 144.244.244.0/24, Translated: 107.142.207.220/22
2 (dmz1) to (outside) source dynamic DMZ1-Network interface description Allow DMZ1 Access to the Ouside
translate_hits = 10, untranslate_hits = 0
Source - Origin: 144.168.0.0/24, Translated: 107.142.207.220/22
3 (dmz1) to (outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN description For DMZ VPN Split tunnel
translate_hits = 2, untranslate_hits = 2
Source - Origin: 144.168.0.0/24, Translated: 144.168.0.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
4 (inside) to (outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel
translate_hits = 28, untranslate_hits = 28
Source - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
5 (dmz1) to (inside) source static any any destination static DukeLAN DukeLAN description Allow access for DukeLAN to DMZ1
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
09-04-2021 10:20 PM
09-04-2021 11:00 PM
No its not working. Egress route is still going to the outside.
I can't remove route-lookup from the 4th NAT rule it breaks the ablility to ping the inside network from RA Client. The first two NAT rules are the dynamic rules that you ask for.
09-04-2021 11:44 PM
09-05-2021 05:17 AM
Yes, that's how I'm able to see whats going on. This link explains the issue abut i have not been able to come up with the correct NAT command to fix the issue.
http://resources.intenseschool.com/cisco-asa-packet-flow-egress-interface-determination/
So far you have clean up the NAT's but the problem remains.
09-05-2021 08:17 AM
I have it working for the inside. Inside cann now access DMZ1 assets by adding this line:
nat (Inside,DMZ1) after-auto source static DukeLAN DMZ1-Network destination static DMZ1-Network DMZ1-Network no-proxy-arp
Now I just have to fix RA VPN access to DMZ.
09-05-2021 09:25 AM
I couldn't seem to get RA VPN to talk to DMZ1 even after adding this NAT:
nat (Outside,DMZ1) after-auto source static Obj-Remote-IPSEC-VPN DMZ1-Network destination static DMZ1-Network DMZ1-Network no-proxy-arp
Traffic keeps going to the outside
Then I remember to turn off split tunnel for RA VPN client. Now its using the correct interface to access the DMZ1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide