cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1281
Views
0
Helpful
4
Replies

nat-problem with asa 5520 8.3

thomas.luxl
Level 1
Level 1

hi,

we upgrade our asa 5520 this weekend to release 8.3. the problem is, that i have to reach the server with ip 10.80.41.24 behind the transit-intern-interface (sec-level 100) from the www across the outside-interface (sec-level-0) over the public-ip 92.62.22.232. therefore i configure this nat-rule:

object network obj-10.80.41.24
host 10.80.41.24

object network obj-10.80.41.24
nat (transit-intern,outside) static 92.62.22.232

otherwise the server has to be reached native from the vpn-ip-users terminating on the same interface (outside)

object network transit-intern-netze
  subnet 10.80.32.0 255.255.224.0
object network remote-pool
  subnet 10.80.52.0 255.255.255.0

nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze

is there a possibility to make an config which works?

thanks for your response!

kind regards,

thomas

1 Accepted Solution

Accepted Solutions

August Ritchie
Level 1
Level 1

Hmm, I don't think the following will work...

nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze

If I am correct, basically you want to be able to reach 10.80.41.24 from 10.80.52.0 255.255.255.0 by using its real IP address of 10.80.41.24

What happens if you try the following and take out the rule above?

nat (transit-intern,outside) source static obj-10.80.41.24 obj-10.80.41.24 destination static remote-pool remote-pool

View solution in original post

4 Replies 4

marbrow2
Level 1
Level 1

I assume you are able to let your VPN users access the device via 10.80.41.24.

Are you saying that the following NAT is not working for you?

object network obj-10.80.41.24
host 10.80.41.24

object network obj-10.80.41.24
nat (transit-intern,outside) static 92.62.22.232

It definitely works:  (I am using "inside" instead of "transit-intern")

ASA(config)# packet-tracer input outside tcp 4.2.2.2 1025 92.62.22.232 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-10.80.41.24
nat (inside,outside) static 92.62.22.232
Additional Information:
NAT divert to egress interface inside
Untranslate 92.62.22.232/80 to 10.80.41.24/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface outside
access-list 101 extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-10.80.41.24
nat (inside,outside) static 92.62.22.232
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1259, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Send the output of "packet-tracer input outside tcp 4.2.2.2 1025 92.62.22.232 80"

Check to see if you have access-rules for this.

hi mark,

you are right. this nat-rule works fine. but the nat-exclusen for the vpn-users (vpn-pool: 10.80.52.0/24) doesnt work --> error code:

5Jul 28 201017:41:5130501310.80.41.24Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.80.52.21 dst transit-intern:10.80.41.24 (type 8, code 0) denied due to NAT reverse path failure

access to other devices in the same lan (10.80.41.0/24) works fine.

it seems, that the reverse packets will be send direktly to the internet and not back to the ipsec-tunnel.

August Ritchie
Level 1
Level 1

Hmm, I don't think the following will work...

nat (outside,transit-intern) source static remote-pool remote-pool destination static transit-intern-netze transit-intern-netze

If I am correct, basically you want to be able to reach 10.80.41.24 from 10.80.52.0 255.255.255.0 by using its real IP address of 10.80.41.24

What happens if you try the following and take out the rule above?

nat (transit-intern,outside) source static obj-10.80.41.24 obj-10.80.41.24 destination static remote-pool remote-pool

thanks august, you were right. it works!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: