01-25-2013 08:38 AM - edited 03-11-2019 05:52 PM
Hi All
I have an issue where I am trying to nat the ip address of a server on my inside network "only" when connecting to a server at the other end of a vpn.
I have come up with the config below, and this works fine outbound, vpn is up and I can initiate connecections to the remote server and it is natted, and if I connect to a public address it translates to the interface as it should.
However if the remote server tries to connect to the inside server on the nat address, it doesn't work. Now at the moment I'm not sure if its because I've misconfigured my end or the 3rd party has misconfigured their end (I've no access to their config).
Should the nat config below translate in both directions? or do I need to do anything else? I'd really appreciate confirmation that the below is correct/incorrect.
ASA 5520 Software Version 8.4(4)1
inside server:- 192.168.3.81
inside server nat:- 172.20.0.1
remote server:- 10.149.1.31
object network obj-sql06
host 192.168.3.81
description server on insde network
object network obj-s-nat-source-address-for-sql06-to-saffron-server
host 172.20.0.1
description nat address used when connecting to remote Server
object network obj-s-nat-saffron-server
host 10.149.1.31
description remote server address
nat (inside,outside) source static obj-sql06 obj-s-nat-source-address-for-sql06-to-saffron-server destination static obj-s-nat-saffron-server obj-s-nat-saffron-server
Regards
Chris
Solved! Go to Solution.
01-25-2013 09:11 AM
Yes, that rule is bidirectional - you do not need to configure any more nat.
Did you try to capture received traffic ? Maybe on the other site when remote server initiating connection traffic is leaving untranslated or translated to different IP than you expect (obj-s-nat-saffron-server) ?
What do you see in logs ?
---
Michal
01-25-2013 09:11 AM
Yes, that rule is bidirectional - you do not need to configure any more nat.
Did you try to capture received traffic ? Maybe on the other site when remote server initiating connection traffic is leaving untranslated or translated to different IP than you expect (obj-s-nat-saffron-server) ?
What do you see in logs ?
---
Michal
01-25-2013 09:18 AM
Thanks for that, I'll have to do some more investigtation. They aren't doing any nat translation at their end (I hope)
The bloke at the other end had to dash off, so we are going to do some more testing monday, I was just worried it was the nat at my end, but if its bidirectional then it shouldn't be, so that sets my mind at rest.
Hopefully they've just got a rule wrong somewhere, and will be easily fixed, routing should be ok as i get replies when I ping the saffron server
I shall let you know how I get on.
01-29-2013 08:48 AM
Got it working. Not quite sure why it wasn't in the first place but removeing the nat config and reinstating it fixed it. The bloke at the other end swears he never changed anything as well.
Thanks very much for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide