Dan,

thanks for the reply nut when I issued that command it didn't change the situation.

the way I am testing this is I have a machine that I am remotely connected to at each client site. At Client2, who I do not have access to thier firewall, I have added a static route on the PC to route all traffic for 192.168.51.0/24 to the dmz vlan IP on my ASA.

I am still able to ping the machine on client2's network FROM client1 but not vice versa.

thanks for your help.

Micah

Hi Micah ,

The thing is that for example the Med Manager Server has to have a route for the 192.168.51.0/24 to 192.168.50.217 , which is the ASA FW. I suppose that there is no Layer 3 equipment in vlan 12 besides the 2 firewalls .

Regards

Dan

I can bet that your ping works from .192.168.51.0 to 192.168.50.0 . Why ?

You have nat in place

global (dmz) 2 interface

nat (inside) 2 access-list inside_nat_outbound

And all the traffic from 192.168.51.0 is snated  to the ASA interface IP.

Regards

Dan

Correct, so if I remove the NAT and ensure that I have a route added on the 192.168.50.0 machines to point to 192.168.50.217 I should be able to get bi-directional traffic?

Yes, you are correct.

You will be able to have bidirectional traffic also using static nat : each 192.168.51.0 host will have a 192.168.50.x address.

As an example : static (inside,dmz) 192.168.50.50 192.168.51.51

The 192.168.50.x hosts can communicate with 192.168.51.51 using 192.168.50.50 destination address.

First solution : it's simpler , but you have to add the route on the hosts

Second solution : depends on how many addresses are used int 192.168.50.x and how many hosts are int 192.168.51. that need to talk with the other client.

Dan

What specific commands do need to run to remove NAT only on the traffic between the inside and the dmz network? I don't want to remove NAT between inside and outside.

Keep in mind that I do need to NAT traffic coming from the inside interface to the outside interface.

Also, you are correct. I only have the layer 2 switches and the firewall. No other equipment.

Ok, then:

no nat-control

no global (dmz) 2 interface

no nat (inside) 2 access-list inside_nat_outbound

+

route 192.168.51.0/24 -> 192.168.50.217

Furthermore if you do not need to nat anything you can delete all nat & global config.

Regards

Dan

Okay, I removed those lines from the config and now I am not able to ping from either side. I also removed these lines:

nat (dmz) 0 access-list dmz_nat0_outbound

access-list dmz_nat0_outbound extended permit ip any any

but it didn't help, currently with those lines removed I no longer have traffic from either side. Any thoughts?

here is the current config with those lines removed. Do I have to make changes to the access-lists as well?

: Saved

:

ASA Version 8.2(5)

!

hostname TEXASVOICE

names

name 192.168.50.4 NETMEN

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 12

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.51.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.25.10.31 255.255.255.0

!

interface Vlan12

no forward interface Vlan2

nameif dmz

security-level 100

ip address 192.168.50.217 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp 10.1.100.0 255.255.255.0 192.168.51.0 255.255.255.0 eq 9100

access-list outside_access_in extended permit tcp 10.1.100.0 255.255.255.0 192.168.51.0 255.255.255.0 eq lpd

access-list DATACENTER-VPN extended permit ip 192.168.51.0 255.255.255.0 10.1.100.0 255.255.255.0

access-list nonatvpn extended permit ip 192.168.51.0 255.255.255.0 10.1.100.0 255.255.255.0

access-list inside_nat_outbound extended permit ip any 192.168.50.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list dmz_access_out extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group dmz_access_out out interface dmz

route outside 0.0.0.0 0.0.0.0 172.25.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address DATACENTER-VPN

crypto map outside_map 1 set peer 69.39.160.194

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 10.110.12.8 10.120.62.15

dhcpd auto_config outside

!

dhcpd address 192.168.51.100-192.168.51.199 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 69.39.160.194 type ipsec-l2l

tunnel-group 69.39.160.194 ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6addb3d103a9d829f96d5a1fa9b7ffad

: end

Hi ,

You have to add a route on the 192.168.50.x hosts for the 192.168.51.0/24 prefix toward the ASA interface 192.168.50.217. did you add this route ?

Regards

Dan

Yes, I have had that added for a while. I thought that was going to be the only hurdle.

Prior to these changes I was able to access the whole 192.168.50.x network from the 192.168.51.x network. Now I am not able to access anything from either network.

You will have to add this route on the 192.168.50.x host.

I suppose that the 192.168.50 host has a default route to the Juniper firewall , so all the packets outside 192.168.50.0 host - this includes 192.168.51.0 - will be forwarded to the Juniper. In order to communicate through the ASA , you must add a route for 192.168.51.0 255.255.255.0 to 192.168.50.217

Regards