07-09-2012 12:37 PM - edited 03-11-2019 04:28 PM
Hi all,
We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?
local 20.0.0.0/24 -->this will get natted to --->12.0.6.0/24 when going in for tunnel
we have created
static(outside,inside) 12.0.6.10 20.0.0.10 255.255.255.255 working
static(outside,inside) 12.0.6.11 20.0.0.11 255.255.255.255 not working, we need to check whether its hitting 12.0.6.11
Kindly advise...
Regards,
Bala
 
					
				
		
07-09-2012 08:18 PM
Your static NAT is incorrect, it's the other way round. It should be:
static (inside,outside) 12.0.6.10 20.0.0.10 netmask 255.255.255.255
static (inside,outside) 12.0.6.11 20.0.0.11 netmask 255.255.255.255
not sure if you want to restrict the NATing to that if you are just going towards the remote subnet, if you are then you would need to create static policy NAT as follows:
access-list nat-to-client permit ip 20.0.0.0 255.255.255.0 
static (inside,outside) 12.0.6.0 access-list nat-to-client
the above will NAT the whole subnet of 20.0.0.0/24 when going towards remote client subnet to 12.0.6.0/24
07-09-2012 11:31 PM
Jennifer,
Thanks for your reply. It was the typo in my question and added static nat properly with " netmask " statement. We have also added nat for nat to client but in our case we have used global nat. All other traffic to and fro in vpn is working fine. My doubt is whether in client side they have properly opened ports and configured nat correctly or not. If we capture packets for the respective traffic, we can easily corner the problem. Kindly check this and It would be really helpful if you guide me towards capturing packets.
Thanks,
Bala
Sent from Cisco Technical Support Android App
 
					
				
		
07-10-2012 01:29 AM
Where are you trying to initiate the connection from?
If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.
Please share what you have configured to capture the traffic?
To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.
To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide