Re: ASA5505 Natting query

redrobish · ‎02-09-2009

hi experts,

we got a ipsec vpn bet our sites that is working for 2 years now without issue. Now we enabled the phone proxy features of the ASA and have it working without problem. However, after adding the phone proxy, we cannot reach the inside network of siteB from the inside(LAN) of siteA. there's a different vlan on the LAN at site A, says the ASA(site A) is on vlan 20 and the pc connected to the 6500 is on vlan 10. the pc on vlan 10 connected to the LAN (6500) cannot ping the inside of site B which was wirking before the phone proxy was enabled.

LAN (6500)---ASA(siteA)---vpn---ASA(siteB)--Lan.

orig config (w/out the phone proxy)

==================

access-list 101 extended permit ip x.x.x.x y.y.y.y

access-list 111 extended permit ip host x.x.x.y host x.y.y.y

nat (inside) 0 access-list 101

access-group 111 in interface outside

w/ phone proxy:

=====================================

access-list 101 extended permit ip x.x.x.x y.y.y.y

access-list 111 extended permit ip host x.x.x.y host x.y.y.y

global (inside) 55 interface

nat (inside) 0 access-list 101

nat (outside) 55 0.0.0.0 0.0.0.0 outside

access-group 111 in interface outside

=========================================

any workaround?

thnx

andrew.prince · ‎02-17-2009

You are natting to the inside fw interface. Either remove this or change the source encryption domain to include the firewall inside IP address.

HTH>

redrobish · ‎02-17-2009

Hi,

it's already fixed! sorry forgot to update this.

anyway, I've performed PAT on the specific ip address of the phone on the outside going inbound through the firewall instead of performing PAT on all outside traffic going inbound. like this;

nat (outside) 10 x.x.x.x 255.255.255.255 outside

global (inside) 10 interface

thanks andrew for the help though! i'll rate your help...

andrew.prince · ‎02-18-2009

that is one way of doing it!

np - glad to help.