We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?
local 220.127.116.11/24 -->this will get natted to --->18.104.22.168/24 when going in for tunnel
we have created
static(outside,inside) 22.214.171.124 126.96.36.199 255.255.255.255 working
static(outside,inside) 188.8.131.52 184.108.40.206 255.255.255.255 not working, we need to check whether its hitting 220.127.116.11
Your static NAT is incorrect, it's the other way round. It should be:
static (inside,outside) 18.104.22.168 22.214.171.124 netmask 255.255.255.255
static (inside,outside) 126.96.36.199 188.8.131.52 netmask 255.255.255.255
not sure if you want to restrict the NATing to that if you are just going towards the remote subnet, if you are then you would need to create static policy NAT as follows:
access-list nat-to-client permit ip 184.108.40.206 255.255.255.0
static (inside,outside) 220.127.116.11 access-list nat-to-client
the above will NAT the whole subnet of 18.104.22.168/24 when going towards remote client subnet to 22.214.171.124/24
Thanks for your reply. It was the typo in my question and added static nat properly with " netmask " statement. We have also added nat for nat to client but in our case we have used global nat. All other traffic to and fro in vpn is working fine. My doubt is whether in client side they have properly opened ports and configured nat correctly or not. If we capture packets for the respective traffic, we can easily corner the problem. Kindly check this and It would be really helpful if you guide me towards capturing packets.
Sent from Cisco Technical Support Android App
Where are you trying to initiate the connection from?
If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.
Please share what you have configured to capture the traffic?
To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.
To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.