?
Solved

Double Internal NAT over VPN no ping ASA

Posted on 2011-03-17
7
Medium Priority
?
827 Views
Last Modified: 2012-06-21
Hello there, i've got a tricky one to ask...
i've tried numerous things and just cannot get this to work.

Bear with me:
This is all on an ASA

We have an internal subnet: 10.150.83.x
A Vpn Subnet: 10.150.244.x
and a DMZ subnet on the ASA: 10.150.251.x

Now, heres the tricky part.
There is a particular host on the DMZ subnet that is getting natted from one internal subnet to another internal subnet: 10.150.251.2 NAT TO 10.150.83.14, The physical address on the host is 10.150.251.2

When i VPN in, i can ping eveybody and their brother on all the subnets EXCEPT for this particular 10.150.83.14
i can ping the natted host on his physical address of: 10.150.251.2 however i cannot ping it on the natted address: 10.150.83.14

at this point i dont know if this is an acl issue, i have opened everything up with any any rules to test but no luck.

here are my nat lines:

nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 4 10.150.84.64 255.255.255.192
nat (Inside) 1 10.150.14.0 255.255.255.0
nat (Inside) 3 10.150.83.0 255.255.255.0
nat (Inside) 1 10.150.120.0 255.255.255.0
<--- More --->
             
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (Inside,Outside) "deleted public" 10.150.83.16 netmask 255.255.255.255
static (Inside,DMZ) 10.150.83.0 10.150.83.0 netmask 255.255.255.0
static (Inside,Inside) 10.150.120.0 10.150.83.0 netmask 255.255.255.0
static (DMZ,Inside) 10.150.83.14 10.150.251.2 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.4 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.2 netmask 255.255.255.255
static (Inside,DMZ) 10.150.120.0 10.150.120.0 netmask 255.255.255.0
0
Comment
Question by:ricardogsanchez
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159831
Just curious, why do you want to ping it on it's natted address?

And second, nothing strange here. You VPN in from the outside, the static is created between the DMZ and the inside.........
0
 

Author Comment

by:ricardogsanchez
ID: 35159876
i want to ping it on the natted address because we have a dns ptr pointing to the .83.14
When employees VPN in, the shortcut on their broswer points to the name not the ip.
eg: http://server/ that they use when in the office.

i have temporarily fixed it by creating a second ptr to the 251.2 addy but im trying to come up with a more elegant solution.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160024
Ok.

Well you can't do it with a static, the 251.2 allready has one to the outside.
Is there any specific reason why you nat the 251.2 to an internal address instead of making it reachable on it's own dmz address? Then you should be able to connect to 251.2 from the inside and from the VPN thus needing only one ptr.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:ricardogsanchez
ID: 35160321
I agree completely, the reason is unknown. I kind of inherited this problem and my first question to them was exactly that "why is this natted to 83.14?" The said they don't know and a consultant set it up this way. I guess what I wanted to know is if it could be done even with the outside static. I still don't understand why it doesn't reply back trough the 83.14... I don't know a lot of nat. Why doesn't it?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35160354
Well as I said before: the 83.14 is natted to the inside. From a VPN you're on the outside.
0
 

Author Comment

by:ricardogsanchez
ID: 35160429
aaahhh.. i think i get it, do you mean 83.14 is only "visible" for host that are phisically on the inside?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160927
You got it :)
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month9 days, 15 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question