cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1065
Views
0
Helpful
4
Replies

NAT order on ASA v8.6

Fergal Meehan
Level 1
Level 1

Hi,

I have built a site to site VPN (ASA1 to ASA2) which works. But!

When the LOCAL network on ASA1 tries to access REMOTE hosts on ASA2 firewall, THAT HAVE STATIC NATs, to public IPs the traffic never gets returned back over the VPN. Basically the traffic always wants to exit the REMOTE ASA on the public NAT address. So I have asynchronous VPN traffic from ASA1 to ASA2.


Running a packet-trace from ASA2 to replicate ASA2 TO ASA1 VPN traffic again the static NAT kicks in.

Despite having the correct NO NAT statements in (remember this works for non static NAT hosts) I can't think what the problem maybe.

The LOCAL ASA was built by me and even there I use static NATs but I write them like the following:

!

object network obj-172.20.176.148

nat (WEBDMZ,OUTSIDE) static 217.114.x.x

!

The REMOTE ASA has it static NATs configured like the following:

!

nat (inside,outside) source static obj-172.30.0.206 obj-86.47.x.x

!

Is there an order of NAT that I should know about in this case or better again can someone explain to me what is happening here and how to allow VPN access from ASA1 to public facing hosts(static NAT) in ASA2.

Thanks

Fergal

1 Accepted Solution

Accepted Solutions