cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
752
Views
0
Helpful
2
Replies

Route map nat question

burnettcounty
Level 1
Level 1

This configuration is beyond my understanding of Cisco natting.  Actually most of it is beyond, but I set it up anyway.

We have two connections out of our building.  Our internet link (named SirenTel), and a connection to the state network which is forwarded to another router in our DMZ. 

I think I need a route map to fix my problem but not sure.  I had everything configured and working, but nobody could get out of our second state link.  So I had to add this line to the configuration:  "nat (any,DMZ) after-auto source dynamic any interface"

Then the static routes to the state network started to work.  Now a new problem with any devices in the DMZ, they cannot access the internet.  Connections initiated from the internet are able to reach them correctly.  I receive this error in the log:

"Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src DMZ:10.167.42.15/53294 dst SirenTel:8.8.8.8/53 denied due to NAT reverse path failure"

Do I need a conditional nat for that DMZ link to the state network?  I need everyone on our network (multiple vlans) to be able to send through that route, so not sure how to write it.

My second, unrelated problem is with trying to ping devices outside our network.  The reply gets denied due to firewall rules, but shouldn't established connections come back through?  For the few devices I wanted to monitor outside my network I had to add a permit for icmp traffic from those addresses.


Hopefully the relevant config lines:


route SirenTel 0.0.0.0 0.0.0.0 64.33.171.81 2
route DMZ 165.189.42.0 255.255.255.0 10.167.42.1 1
route DMZ 165.189.52.65 255.255.255.255 10.167.42.1 1
route DMZ 165.189.96.0 255.255.255.0 10.167.42.1 1
route DMZ 167.218.0.0 255.255.0.0 10.167.42.1 1
route DMZ 198.150.235.253 255.255.255.255 10.167.42.1 1

object network 10.167.42.15
nat (DMZ,SirenTel) static 64.33.171.93

nat (any,DMZ) after-auto source dynamic any interface
nat (any,SirenTel) after-auto source dynamic any interface

access-list SirenTel_access_in extended permit icmp object-group DM_INLINE_NETWORK_15 any4

Thanks for any assistance.

- James

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello James,

Let's start with the ICMP, to make it stateful you need:

Fixup protocol icmp.

For the NAT

object-group network DMZ_Subnets

network-object 165.189.42.0 255.255.255.0

network-object 165.189.52.65 255.255.255.255

network-object 65.189.96.0 255.255.255.0

network-object 167.218.0.0 255.255.0.0

network-object 198.150.235.253 255.255.255.255

exit

no nat (any,DMZ) after-auto source dynamic any interface

no nat (any,SirenTel) after-auto source dynamic any interface

nat (inside,dmz) source dynamic any interface destination static  DMZ_Subnets DMZ_Subnets

nat (outside,dmz) source dynamic any interface destination static  DMZ_Subnets DMZ_Subnets

nat (inside,outside) source dynamic any interface

nat (dmz,outside) source dynamic any interface

Any questions julio17carvajal@hotmail.com

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I am guessing that I do not need this line if I don't need to route from outside my network through my second link.

nat (outside,dmz) source dynamic any interface destination static  DMZ_Subnets DMZ_Subnets

And I do not have 'inside' or 'outside' defined anywhere as an interface name.  Do I need to subsitute each of my interface names for these, or can I use 'any' with that destination object group?  I have 9 internal interfaces defined because of subnetting.

Thanks for the help.

Review Cisco Networking for a $25 gift card