Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
2
Replies

NAT on Cisco ASA 5550 v8.3(2)

David Fletchall
Level 1
Level 1

‎11-09-2011 07:38 AM - edited ‎03-11-2019 02:48 PM

Not very familiar with ASA and NAT'ing in general so hopefully, this will make sense.

I've created a Site-to-Site IPSec VPN tunnel with one of our clients (who uses a PIX).  The remote user can connect to our local, private LAN servers without a problem.  However, when the remote user tries to connect to servers on our corporate network (which is linked over WAN routers from LA to Dallas) they cant get through.

When I run Packet Trace in ASDM on our ASA all is well until the packet attempts to traverse from the Inside interface back through the Outside interface (back to the remote client side of the VPN tunnel).

I see the following "error" within the Packet Trace tool;

-----------------------------------------------------------------------------------------

Type - NAT    Subtype - rpf-check    Action - DROP

Config

object network obj_any

nat (inside,outside) dynamic interface

-------------------------------------------------------------------------------------------

I've attached my ASA config.  The remote client-side address is 74.8.221.195, its being PAT'd to 172.30.12.75 and the remote host/network its not able to reach is 172.30.101.20 ( /24 net mask).  The local segment in my LA network is 172.30.12.0/22 and the servers in this network are all able to communicate with the remote client-side user at 74.8.221.195.

This seems simple, so I'm sure my lack of knowledge is the main ingredient here.  Any help would be greatly appreciated.  as previously stated, I've attached a .txt file of my ASA config.

Labels:
0 Helpful
2 Replies 2

mvsheik123
Level 7
Level 7

‎11-09-2011 10:12 AM

Hi,

nat (inside,outside) source static alb-net1 alb-net1 destination static obj-74.8.221.195 obj-74.8.221.195

!

object network alb-net1

subnet 172.30.12.0 255.255.252.0

description Created during name migration  object network alb-net1
!

172.30.12.0 255.255.252.0 does not cover the subnet 172.30.101.20. Also, make sure your corp n/w routers have route to the remote network.

hth

MS

0 Helpful

David Fletchall
Level 1
Level 1
In response to mvsheik123

‎03-16-2012 05:33 AM

This ended up being a Crypto Map issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card