Solved: It was a pleasure to help you

rarunachalam · ‎12-04-2014

I am trying to build a tunnel to a customer with NATs and I am able to get 3 out of the 4 networks to communicate. The 1 network that doesnt respond is a DMZ network. Config snippets below. What am I doing wrong with the 10.0.87.0/24 network? The error on the log is "Routing failed to locate next hop"

interface Ethernet0/1
speed 100
duplex half
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ospf cost 10
rip send version 1
!
interface Ethernet0/2
nameif DMZ
security-level 4
ip address 172.16.1.1 255.255.255.0
ospf cost 10

object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0

object network comm-10.240.0.0
subnet 10.240.0.0 255.255.0.0
object network obj-10.0.12.0
subnet 10.0.12.0 255.255.255.0
object network obj-10.0.14.0
subnet 10.0.14.0 255.255.255.0
object network DNI-NAT1
subnet 10.0.84.0 255.255.255.0
object network DNI-NAT2
subnet 10.0.85.0 255.255.255.0
object network DNI-NAT3
subnet 10.0.86.0 255.255.255.0
object network DNI-NAT4
subnet 10.0.87.0 255.255.255.0

object-group network DNI_NAT
network-object object DNI-NAT1
network-object object DNI-NAT2
network-object object DNI-NAT3
network-object object DNI-NAT4

access-list DNI_VPN_NAT1 extended permit ip 10.0.0.0 255.255.255.0 object comm-10.240.0.0
access-list DNI_VPN_NAT2 extended permit ip 10.0.12.0 255.255.255.0 object comm-10.240.0.0
access-list DNI_VPN_NAT3 extended permit ip 10.0.14.0 255.255.255.0 object comm-10.240.0.0
access-list DNI_VPN_NAT4 extended permit ip 172.16.1.0 255.255.255.0 object comm-10.240.0.0
access-list DNI-VPN-Traffic extended permit ip object-group DNI_NAT object comm-10.240.0.0

nat (inside,outside) source static obj-10.0.12.0 DNI-NAT2 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
nat (inside,outside) source static obj-10.0.14.0 DNI-NAT3 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
nat (inside,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp

David Johan Castro Fernandez · ‎12-05-2014

Hello,

I see that the issue here is the NAT statement:

nat (inside,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp

The correct Statement would be:

nat (DMZ,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp

Go ahead and do a packet tracer:

packet-tracer input DMZ tcp 172.16.1.15 443 10.240.X.X detailed

So you will see the NAT exempt working now.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

Regards,

David Castro,

View solution in original post

David Johan Castro Fernandez · ‎12-05-2014

Hello,

I see that the issue here is the NAT statement:

nat (inside,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp

The correct Statement would be:

nat (DMZ,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp

Go ahead and do a packet tracer:

packet-tracer input DMZ tcp 172.16.1.15 443 10.240.X.X detailed

So you will see the NAT exempt working now.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

Regards,

David Castro,

rarunachalam · ‎12-05-2014

Thank you David,

I am going to go jump off a cliff now. This was silly!

David Johan Castro Fernandez · ‎12-05-2014

It was a pleasure to help you on this!!

Have a great day!

David Castro,

Cisco ASA VPN tunnel Issue - DMZ interface