Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Double Internal NAT over VPN no ping ASA

Posted on 2011-03-17
7
Medium Priority
?
825 Views
Last Modified: 2012-06-21
Hello there, i've got a tricky one to ask...
i've tried numerous things and just cannot get this to work.

Bear with me:
This is all on an ASA

We have an internal subnet: 10.150.83.x
A Vpn Subnet: 10.150.244.x
and a DMZ subnet on the ASA: 10.150.251.x

Now, heres the tricky part.
There is a particular host on the DMZ subnet that is getting natted from one internal subnet to another internal subnet: 10.150.251.2 NAT TO 10.150.83.14, The physical address on the host is 10.150.251.2

When i VPN in, i can ping eveybody and their brother on all the subnets EXCEPT for this particular 10.150.83.14
i can ping the natted host on his physical address of: 10.150.251.2 however i cannot ping it on the natted address: 10.150.83.14

at this point i dont know if this is an acl issue, i have opened everything up with any any rules to test but no luck.

here are my nat lines:

nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 4 10.150.84.64 255.255.255.192
nat (Inside) 1 10.150.14.0 255.255.255.0
nat (Inside) 3 10.150.83.0 255.255.255.0
nat (Inside) 1 10.150.120.0 255.255.255.0
<--- More --->
             
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (Inside,Outside) "deleted public" 10.150.83.16 netmask 255.255.255.255
static (Inside,DMZ) 10.150.83.0 10.150.83.0 netmask 255.255.255.0
static (Inside,Inside) 10.150.120.0 10.150.83.0 netmask 255.255.255.0
static (DMZ,Inside) 10.150.83.14 10.150.251.2 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.4 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.2 netmask 255.255.255.255
static (Inside,DMZ) 10.150.120.0 10.150.120.0 netmask 255.255.255.0
0
Comment
Question by:ricardogsanchez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159831
Just curious, why do you want to ping it on it's natted address?

And second, nothing strange here. You VPN in from the outside, the static is created between the DMZ and the inside.........
0
 

Author Comment

by:ricardogsanchez
ID: 35159876
i want to ping it on the natted address because we have a dns ptr pointing to the .83.14
When employees VPN in, the shortcut on their broswer points to the name not the ip.
eg: http://server/ that they use when in the office.

i have temporarily fixed it by creating a second ptr to the 251.2 addy but im trying to come up with a more elegant solution.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160024
Ok.

Well you can't do it with a static, the 251.2 allready has one to the outside.
Is there any specific reason why you nat the 251.2 to an internal address instead of making it reachable on it's own dmz address? Then you should be able to connect to 251.2 from the inside and from the VPN thus needing only one ptr.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 

Author Comment

by:ricardogsanchez
ID: 35160321
I agree completely, the reason is unknown. I kind of inherited this problem and my first question to them was exactly that "why is this natted to 83.14?" The said they don't know and a consultant set it up this way. I guess what I wanted to know is if it could be done even with the outside static. I still don't understand why it doesn't reply back trough the 83.14... I don't know a lot of nat. Why doesn't it?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35160354
Well as I said before: the 83.14 is natted to the inside. From a VPN you're on the outside.
0
 

Author Comment

by:ricardogsanchez
ID: 35160429
aaahhh.. i think i get it, do you mean 83.14 is only "visible" for host that are phisically on the inside?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160927
You got it :)
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question