01-14-2015 06:26 AM
All,
We have an ASA5520-K8 firewall through which internal customer connect and are given 10.26.206.0/23 IP addresses. They are not however unable to ping or RDC to each other. A co-worker and I both connected to the firewall and VPN and I tried to do a packet-trace from my assigned IP internal to his assigned IP internal. The packet is dropped at Phase 10. As a newbie to ASAs, I need some assistance.
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (Outside) 10 access-list VPN_CLIENTS
match ip Outside 10.26.206.0 255.255.254.0 Outside any
dynamic translation to pool 10 (199.x.x.x [Interface PAT])
translate_hits = 5268139, untranslate_hits = 397840
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc89cc760, priority=2, domain=nat, deny=false
hits=5364150, user_data=0xc89cc6c0, cs_id=0x0, flags=0x0, protocol=0
src ip=10.26.206.0, mask=255.255.254.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
============================
Username : weichenberger Index : 3455
Assigned IP : 10.26.206.174 Public IP : 70.x.x.x
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : AES128 AES256 Hashing : SHA1
Bytes Tx : 7573810 Bytes Rx : 2810147
Group Policy : JDL_VPN_Users Tunnel Group : SecureAuth-access
Login Time : 08:25:57 EST Wed Jan 14 2015
Duration : 0h:46m:42s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Solved! Go to Solution.
01-14-2015 07:41 AM
There are two configs that are needed:
1) NAT-Exemption for the outside-interface. That is similar like what you have on the inside.
access-list outside_nat0 permit ip 10.26.206.0 255.255.254.0 10.26.206.0 255.255.254.0 nat (outside) 0 access-list outside_nat0
2) allow the ASA to send traffic back on the same interface where it was received:
same-security-traffic permit intra-interface
01-14-2015 07:08 AM
There is also this bit of information that may help.
ASA-RAS# sh run | in 10.26.206.
access-list inside_nat0_outbound extended permit ip 10.26.0.0 255.255.0.0 10.26.206.0 255.255.254.0
access-list VPN_CLIENTS extended permit ip 10.26.206.0 255.255.254.0 any
ip local pool VPN_Pool 10.26.206.3-10.26.207.254 mask 255.255.254.0
route inside 10.26.206.0 255.255.254.0 10.26.208.1 1
01-14-2015 07:41 AM
There are two configs that are needed:
1) NAT-Exemption for the outside-interface. That is similar like what you have on the inside.
access-list outside_nat0 permit ip 10.26.206.0 255.255.254.0 10.26.206.0 255.255.254.0 nat (outside) 0 access-list outside_nat0
2) allow the ASA to send traffic back on the same interface where it was received:
same-security-traffic permit intra-interface
01-14-2015 11:27 AM
Thank You, Karsten! Your suggestion was perfect!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide