07-16-2013 12:16 PM - edited 03-11-2019 07:12 PM
Hello,
I have ASA 5550 with 8.2.5
I have some dmz just like 192.168.160.0/24, 192.168.161.0/24 .. all with different security levels
I've been trying on a testing firewall to remove nat exempt or nat static (for example natting 192.168.160.0 to 192.168.160.0) between those dmz and nothing works now. Why do I have to use nat between networks directly connected !?! is there any way to make it working without nat ? I've issued no nat-control also. Below the syslog error,
3|Jul 16 2013|17:06:29|305006|192.168.160.53||192.168.161.167||portmap translation creation failed for icmp src DMZ0:192.168.160.53 dst DMZ1:192.168.161.167 (type 8, code 0)
Thank you
07-16-2013 12:18 PM
I forgot this syslog error also,
5|Jul 16 2013|17:11:14|305013|192.168.161.167||192.168.160.53||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src DMZ1:192.168.161.167 dst DMZ0:192.168.160.53 (type 8, code 0) denied due to NAT reverse path failure
07-16-2013 12:19 PM
Hi,
Can you post the output of the following "packet-tracer" command
packet-tracer input DMZ0 icmp 192.168.160.53 8 0 192.168.161.167
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide