Hello Karsten Iwen

Thanks for your reply.

Unfortunately, the problem remains. 

I've made a packet-tracer:

packet-tracer input inside icmp 10.91.250.16 0 0 172.16.8.12

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL
 nat (inside,outside) static NAT_CAMPUS<->CUSTOMER
Additional Information:
Static translate 10.91.250.16/0 to 10.10.249.1/0

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
 nat (any,inside) dynamic interface
Additional Information:

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

ok, what do you want to achieve with the following NAT-rule? Is that really what you want?

object network obj_any
 nat (any,inside) dynamic interface

If you wanted to add the dynamic NAT for all outgoing traffic, the interface is wrong. Then you could configure it as following and remove the above statement:

nat (any,outside) after-auto source dynamic any interface

Hey,

Thanks both of you.

To make it easier, here the architecture

With my computer (10.91.250.16) I want to reach all listed subnets in customer LAN.

In my firewall, my IP address is nated to 10.10.249.1 /32.

But, when I try to ping, i get that:

Thanks for help :)

Okay fine. 

Create an object-group that should contain all the destination network "remote network". Then add the static NAT : 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static destination_obj destination_obj 

Let us know if this will help 

Hello Dina Odeh,

Thanks for you reply but it's not working. Same issue :'(

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
 nat (any,inside) dynamic interface
Additional Information:

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Best regards.

Olivier.

Hi Oliver, 

Send me please "show run nat" and this output: 

"packet-tracer input inside icmp 10.91.250.16 8 0 172.16.8.12 det" 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL destination static LAN_CUSTOMER NAT_CAMPUS<->CUSTOMER
!
object network obj_any
 nat (any,inside) dynamic interface
!
nat (MANAGEMENT,outside) after-auto source dynamic any interface

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac04fedd0, priority=0, domain=nat-per-session, deny=true
 hits=890438, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=any, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac0fba920, priority=0, domain=inspect-ip-options, deny=true
 hits=51627, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac1c6ee80, priority=70, domain=inspect-icmp, deny=false
 hits=2500, user_data=0x2aaac2d393e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac0fba130, priority=66, domain=inspect-icmp-error, deny=false
 hits=5906, user_data=0x2aaac0fb96a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac1c79750, priority=13, domain=ipsec-tunnel-flow, deny=true
 hits=3481, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
 nat (any,inside) dynamic interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x2aaac10cd210, priority=6, domain=nat-reverse, deny=false
 hits=3636, user_data=0x2aaac10cb390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Thanks for you help.

Best regards,

Olivier Chambelant

Oliver, 

You put an incorrect NAT, not the one we mentioned above. 

NAT should be like this: 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static destination_obj destination_obj 

Destination_obj --- Is an object group that should have all the customer network in your graph above. 

Hi again.

I confirm that this is the case.

Thanks again.

Olivier.

Nice. 

You are welcome !!

Hey,

Sorry, but I still can't access to my CUSTOMER LAN :'(

Best regards.

Olivier.

Hello Olivier,

The RPF Check failure happens when a NAT rule is hit when traffic is going out, and a different NAT rule is hit when traffic is coming back in.

To try and avoid this configure the NAT rule on a higher sequence number for it to be taking precedence. Also add the route-lookup at the end of the command to make sure the path follows the nat rules based on the routing table (since the dynamic nat is configured (any,outside) it is normally used to make sure the nat rule is applied correctly).

Also check if there is a xlate entry "stuck" performing the dynamic nat.

you may "clear xlate local [local ip address]" if there is a conflicting xlate.

The example of the nat rule is:

nat (inside,outside) 1 source static HOST_SOLUTYS_LISSES_SERV EURS_SAGEVIRTUEL NAT_SOLUTYS<->SAMSE destination static LAN_SAMSE LAN_SAMSE no-proxy-arp route-lookup