I have configured my Cisco ASA to translate internal addresses to external (WAN) interface. Everything works right, internet connection works as expected.
I have created site to site tunnel between ASA and AWS. I was able to ping resources on AWS from hosts behind ASA but not other way around. I have finally discovered that the problem is with NAT Rules.
Here is how I have this set up:
If I disable the last rule (#3), I am able to access internal hosts form AWS but I am not able to access internet.
How do I set this up so when I communicate to and from AWS to inside addresses are not translated, but if I initiate communication from inside to everywhere else but AWS, ASA translates everything to outside (WAN)
obj-amz (VPC in AWS 188.8.131.52)
obj-SrcNet (Subnet INSIDE - behind ASA 10.0.1.0)
Solved! Go to Solution.
Thank you Richard. I have changed rule number 3 (source NAT type) from Dynamic PAT to Static, and it worked as a charm.
Can you please explain little more on how it works? I really would like understand this concept. Maybe you know some articles or yt tutorials that can be helpful.
I don't understand why rules number 1 and 2 were not overriding rule number 3
I am a bit confused. In a previous response you said that you changed rule 3 and it worked. In the most recent post what I see as rule 2 looks to be the same as original rule 3, not a changed rule.
 Apparently while I was typing my response the post was changed from one saying that there was still a problem to saying that it is fixed. Glad to know that it is fixed.
That is correct. I was as confused as you are. Yesterday after I changed rule number 3 to static NAT every worked great. Therefore I got rid of some rules that were not needed and everything was still working out as expected.
This was not the case anymore this morning... I have no idea why but I followed articles suggested by George, I have set up the exemption rule and now everything seems to be working again.