Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

ASA 5510

Hi Guys:
We have this ASA config below and we are trying to allow traffic between the DMZ 172.16.1.15 to a Web server on the other side of the Site-to-Site VPN 192.168.111.141, like you notice the other side is not trusted and there a lot of static mapping and when I tried to create static mapping it says that will overlap with some other NAT and in the log whenever I’m trying to access the Web Server 192.168.111.141 from 172.16.1.15 it will send to the outside public IP15!! config attached
Any help is really appreciated!
Thank you
Mo


ASA-Config.txt
0
modathir
Asked:
modathir
1 Solution
 
jmeggersSr. Network and Security EngineerCommented:
Maybe I'm just missing it, but I don't see where you are denying NAT for the traffic going to the other side of the tunnel.   In 8.2 code that's accomplished with a "zero" instance of nat ["nat (inside) 0 access-list no-nat"] which I'm not seeing in the config.  This would explain why the ASA is NATing that traffic.
0
 
bgoeringCommented:
You may need to add a:
access-list outside_map_1 extended permit ip 192.168.111.0 255.255.255.0 172.16.1.0 255.255.255.0
to allow return traffic to your dmz, presently it looks like you are only allowing traffic to 192.168.167.0/24

To get it going the other way create
access-list intf2_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.111.0
nat (intf2) 0 access-list intf2_nat0_outbound

0
 
modathirAuthor Commented:
Part of the solution
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now