Hi Ajay,

Thank you for your reply.

Attached find the scenario draft and the capture traffic, my remote users able to access service y.y.y.1 because they go to core router and from them they have a route to our ASA FW 99.6, and the NAT is on the same interface, same happen for the service x.x.x.1 g to core router and have route to 99.4.

My LAN users able to access service y.y.y.1 because the default gateway have a static route to 99.6 and from them have a NAT, but can't access the service x.x.x.1 because our FW 99.4 don't now the x.x.x.1 and send to the cloud. I have create a route to send from the LAN to core router and he knows x.x.x.1 because have a static route to 99.4. Is like send from FW to core and come back to FW on the right interface were the NAT is applied but also not working. Please see attach and help.

Thank you

Hello,

This is an interesting problem and a more tricky workaround. The idea is to u-turn the traffic, because for lan users traffic can not go to core router and come back through same route. Its a firewall design to drop such traffic.

I requested a running config, but the things we need to achieve this is like this:

create a NAT on 10.0.0.1 interface something like:

NAT (inside,inside) static <public ip 99.4> <private ip>

Also, create a source NAT such that when lan user hits the public ip address 99.4, it goes to inside interface of the firewall. FW will proxy arp for the destination ip due to NAT I mentioned above and send it back as a u-turned traffic. The souce of LAN will be PATted to inside interface so that reply traffic comes back through same path.

Also, add the command below to allow u-turn.

same-security-traffic per intra-interface

Try this in a downtime and test it out.

HTH
AJ

Hi Ajay,

Thank you once again for your reply.

Yes this is an interesting scenario and am stack to make this work.

My lan user subnet is 10.0.1.0/24 connected to my ASA 10.0.1.1, the mpls IP is located on mpls core router that send to my ASA on mpls interface 10.0.99.4. As i told you the remote users have no problem as they come via our mpls interface on ASA then NAT happen to real server. As per your explanation I have to NAT my inside interface to inside interface like this:

NAT (inside,inside) static 41.76.7.25 10.0.10.50 ---->(mean nat my mpls ip to real server on inside interface is this correct) then

NAT (inside,inside) source static 41.76.7.25 10.0.1.0 destination static (this is correct)

Can I try this scenario in PRODUCTION without any downtime? Please suggest according.

the command --> same-security-traffic permite intra-interface and

                            same-security-traffic permite inter-interface is already there.

Thank you,

You would also need to PAT the inside lan user to inside interface so that reply traffic comes back to the ASA interface and there is no asyemtric routing. For the same:

object network obj-test 

 subnet <inside subnet>

 nat(inside,inside) source dynamic any interface

try it out and see if it works. I would have taken the risk in a live environment.

Good luck.

HTH

AJ

I'm a bit confuse now, can you please send me the commands I have to run into ASA with the correct IP assuming my lan subnet (10.0.1.0/24) and my mpls IP 41.76.7.25, can I use only one host for test purpose lets say  10.0.1.24. There is need any acl for permit the traffic? 

Please see if this command are correct before insert:

NAT (inside,inside) static 41.76.7.25 10.0.10.50

NAT (inside,inside) source static 41.76.7.25 10.0.1.0 destination static

object network NTADMIN
 subnet 10.0.1.24 255.255.255.255

 nat(inside,inside) source dynamic any interface

Thank you!

NAT (inside,inside) source static 10.0.10.50 41.76.7.25

object network NTADMIN 
 host 10.0.1.24
 nat (inside,inside) dynamic interface

Please try this. We dont need an ACL since the traffic is never going to cross the interface, it will always get u-turned from inside interface.

HTH

AJ

I did but still not open the service, see the capture attached.