07-28-2010 06:35 AM - edited 03-11-2019 11:17 AM
hi,
we upgrade our asa 5520 this weekend to release 8.3. the problem is, that i have to reach the server with ip 10.80.41.24 behind the transit-intern-interface (sec-level 100) from the www across the outside-interface (sec-level-0) over the public-ip 92.62.22.232. therefore i configure this nat-rule:
object network obj-10.80.41.24
host 10.80.41.24
object network obj-10.80.41.24
nat (transit-intern,outside) static 92.62.22.232
otherwise the server has to be reached native from the vpn-ip-users terminating on the same interface (outside)
object network transit-intern-netze
subnet 10.80.32.0 255.255.224.0
object network remote-pool
subnet 10.80.52.0 255.255.255.0
nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze
is there a possibility to make an config which works?
thanks for your response!
kind regards,
thomas
Solved! Go to Solution.
07-28-2010 11:23 AM
Hmm, I don't think the following will work...
nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze
If I am correct, basically you want to be able to reach 10.80.41.24 from 10.80.52.0 255.255.255.0 by using its real IP address of 10.80.41.24
What happens if you try the following and take out the rule above?
nat (transit-intern,outside) source static obj-10.80.41.24 obj-10.80.41.24 destination static remote-pool remote-pool
07-28-2010 07:47 AM
I assume you are able to let your VPN users access the device via 10.80.41.24.
Are you saying that the following NAT is not working for you?
object network obj-10.80.41.24
host 10.80.41.24
object network obj-10.80.41.24
nat (transit-intern,outside) static 92.62.22.232
It definitely works: (I am using "inside" instead of "transit-intern")
ASA(config)# packet-tracer input outside tcp 4.2.2.2 1025 92.62.22.232 80
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-10.80.41.24
nat (inside,outside) static 92.62.22.232
Additional Information:
NAT divert to egress interface inside
Untranslate 92.62.22.232/80 to 10.80.41.24/80
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface outside
access-list 101 extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-10.80.41.24
nat (inside,outside) static 92.62.22.232
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1259, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Send the output of "packet-tracer input outside tcp 4.2.2.2 1025 92.62.22.232 80"
Check to see if you have access-rules for this.
07-28-2010 08:49 AM
hi mark,
you are right. this nat-rule works fine. but the nat-exclusen for the vpn-users (vpn-pool: 10.80.52.0/24) doesnt work --> error code:
5 Jul 28 2010 17:41:51 305013 10.80.41.24 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.80.52.21 dst transit-intern:10.80.41.24 (type 8, code 0) denied due to NAT reverse path failure
access to other devices in the same lan (10.80.41.0/24) works fine.
it seems, that the reverse packets will be send direktly to the internet and not back to the ipsec-tunnel.
07-28-2010 11:23 AM
Hmm, I don't think the following will work...
nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze
If I am correct, basically you want to be able to reach 10.80.41.24 from 10.80.52.0 255.255.255.0 by using its real IP address of 10.80.41.24
What happens if you try the following and take out the rule above?
nat (transit-intern,outside) source static obj-10.80.41.24 obj-10.80.41.24 destination static remote-pool remote-pool
07-29-2010 02:33 AM
thanks august, you were right. it works!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide