We have a video system at 10.4.86.199 trying to call another system at 172.30.1.102.
The System at 10.4.86.199 receive the video image and sound, but at 172.30.1.102 doesn't after the call is established.
10.4.86.199 actaully contacts 10.40.86.102 which NAT to 172.30.1.102, it cannot contact 172.30.1.102 directly. It is done by design.
I've tried to packettrace and it points to problem with NAT but I can't pinpoint it. Any help would be appreciated.
please see attached config.
Thank you in advance.
If I understand correctly 10.4.86.199 should reach 10.40.86.102 to be able to get the service from 172.30.1.102
172.30.1.102 NATs to 10.40.86.102
In order to allow 10.4.86.199 to reach 10.40.86.102 you need a static NAT (which you have):
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.
and also ACL:
access-list Endo-40_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list Endo-40_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
Should be permitting this traffic (all ports required to make this work).
Normally if Packet-Tracer reports a problem (a NAT problem in this case), should show you which NAT rule is causing
Can you include that information?
here's the result:
ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 172.30.1.102 80
Found no matching flow, creating a new flow
in 172.30.1.0 255.255.255.0 inside
access-group Entrust-40_access_in in interface E-40
access-list Entrust-40_access_in extended permit ip any any
access-group inside-out-acl out interface inside
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object 10.4.86.0 255.255.255.0
network-object 10.40.86.0 255.255.255.0
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.255
match ip inside host 172.30.1.102 E-40 any
static translation to 10.40.86.102
translate_hits = 15, untranslate_hits = 36
Drop-reason: (acl-drop) Flow is denied by configured rule
The test is incorrect.
You're attempting to reach 172.30.1.102 on port 80 from 10.4.86.199
From 10.4.86.199 you should reach 10.40.86.102 (and the ASA will statically NAT it to 172.30.1.102
Do the following test:
packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80