Solved: asymmetric NAT issues

firestartest · ‎08-06-2010

Hi

I'm having problems accesing other networks off the ASA interfaces. I can VPN in and access anything on the inside interface and beyond into the core. When I try and access a DMZ server off the ASA i get errors about asymmetric NAT. VPN client comes in as an address of 10.112.15.x.

Can anyone help?

I have attached some of the config.

show ip addrress:

GigabitEthernet0/0       outside               x.x.x.x   255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 10.112.2.250    255.255.255.0   CONFIG
GigabitEthernet0/2.610   DMZ_External           10.112.7.254    255.255.255.0   CONFIG
GigabitEthernet0/2.620   DMZ_Internal           10.112.6.254    255.255.255.0   CONFIG
GigabitEthernet0/2.640   DMZ_Mgmt               10.112.10.254   255.255.255.0   CONFIG

Elements from config:

access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.7.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.10.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.6.0 255.255.255.0
access-list nonat extended permit ip 10.112.0.0 255.240.0.0 10.112.15.0 255.255.255.0

nat-control
global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 10.112.0.0 255.240.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x. 1
route inside 10.112.0.0 255.240.0.0 10.112.2.254 1

Any pointers on what i'm doing wrong?

Thanks.

Nagaraja Thanthry · ‎08-06-2010

Hello,

The reason is because you do not have a nonat rule for the DMZ traffic.

access-list dmz_nonat permit 10.112.6.0 255.255.255.0

nat (dmz) 0 access-list dmz_nonat

This should fix your issue.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎08-06-2010