Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4141
Views
0
Helpful
3
Replies

Static policy nat problem

Go to solution
the-kamikaze
Level 1
Level 1

‎01-25-2013 08:38 AM - edited ‎03-11-2019 05:52 PM

Hi All

I have an issue where I am trying to nat the ip address of a server on my inside network "only" when connecting to a server at the other end of a vpn.

I have come up with the config below, and this works fine outbound, vpn is up and I can initiate connecections to the remote server and it is natted, and if I connect to a public address it translates to the interface as it should.

However if the remote server tries to connect to the inside server on the nat address, it doesn't work.  Now at the moment I'm not sure if its because I've misconfigured my end or the 3rd party has misconfigured their end (I've no access to their config).

Should the nat config below translate in both directions?  or do I need to do anything else?   I'd really appreciate confirmation that the below is correct/incorrect.

ASA 5520 Software Version 8.4(4)1

inside server:- 192.168.3.81

inside server nat:- 172.20.0.1

remote server:- 10.149.1.31

object network obj-sql06

host 192.168.3.81

description server on insde network  

object network obj-s-nat-source-address-for-sql06-to-saffron-server

host 172.20.0.1

description nat address used when connecting to remote Server

object network obj-s-nat-saffron-server

host 10.149.1.31

description remote server address

nat (inside,outside) source static obj-sql06 obj-s-nat-source-address-for-sql06-to-saffron-server destination static obj-s-nat-saffron-server obj-s-nat-saffron-server

Regards

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee

‎01-25-2013 09:11 AM

Yes, that rule is bidirectional - you do not need to configure any more nat.

Did you try to capture received traffic ? Maybe on the other site when remote server initiating connection traffic is leaving untranslated or translated to different IP than you expect (obj-s-nat-saffron-server) ?

What do you see in logs ?

---

Michal

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee

‎01-25-2013 09:11 AM

Yes, that rule is bidirectional - you do not need to configure any more nat.

Did you try to capture received traffic ? Maybe on the other site when remote server initiating connection traffic is leaving untranslated or translated to different IP than you expect (obj-s-nat-saffron-server) ?

What do you see in logs ?

---

Michal

0 Helpful

Go to solution
the-kamikaze
Level 1
Level 1
In response to Michal Garcarz

‎01-25-2013 09:18 AM

Thanks for that, I'll have to do some more investigtation.   They aren't doing any nat translation at their end (I hope)

The bloke at the other end had to dash off, so we are going to do some more testing monday, I was just worried it was the nat at my end, but if its bidirectional then it shouldn't be, so that sets my mind at rest.

Hopefully they've just got a rule wrong somewhere, and will be easily fixed, routing should be ok as i get replies when I ping the saffron server

I shall let you know how I get on.

0 Helpful

Go to solution
the-kamikaze
Level 1
Level 1
In response to Michal Garcarz

‎01-29-2013 08:48 AM

Got it working.   Not quite sure why it wasn't in the first place but removeing the nat config and reinstating it fixed it.  The bloke at the other end swears he never changed anything as well.

Thanks very much for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card