06-06-2018 01:45 PM - edited 03-12-2019 05:21 AM
We are sending traffic sourced from the ASA's inside interface over our l2l vpn tunnel. We need to NAT the inside interface's IP address. NAT works when we ping *to* the inside interface over the tunnel; we receive replies and we see hit counts on the NAT statement. When we ping *from* or generate syslog traffic from the inside interface though, the traffic goes out the proper interface (outside) but the NAT isn't hit! Ie. NAT works when the traffic is going outside->inside but not inside->outside.
Our NAT statement looks like this:
nat (any,any) source static obj-inside obj-inside-NAT destination static obj-vpn obj-vpn
But we see the non-NAT'd traffic going out the outside interface!
9: 08:58:03.305007 802.1Q vlan#2 P0 10.1.1.1.514 > 10.23.45.67.514: udp 111
Running 5505 on 9.1(7)16.
So the question is, why isn't traffic sourced from our inside interface hitting the NAT statement?
Solved! Go to Solution.
06-11-2018 05:50 AM
06-08-2018 10:37 AM
06-11-2018 02:51 AM
Hi @esa_fresa,
Can you post the output from:
packet-tracer input inside icmp <inside-ip> 8 0 <vpn-ip>
06-11-2018 05:50 AM
06-11-2018 07:23 AM
That is true, but you have other tools available on the ASA when verifying connections like ping tcp and packet-tracer.
06-11-2018 07:53 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide