?
Solved

Double Internal NAT over VPN no ping ASA

Posted on 2011-03-17
7
Medium Priority
?
820 Views
Last Modified: 2012-06-21
Hello there, i've got a tricky one to ask...
i've tried numerous things and just cannot get this to work.

Bear with me:
This is all on an ASA

We have an internal subnet: 10.150.83.x
A Vpn Subnet: 10.150.244.x
and a DMZ subnet on the ASA: 10.150.251.x

Now, heres the tricky part.
There is a particular host on the DMZ subnet that is getting natted from one internal subnet to another internal subnet: 10.150.251.2 NAT TO 10.150.83.14, The physical address on the host is 10.150.251.2

When i VPN in, i can ping eveybody and their brother on all the subnets EXCEPT for this particular 10.150.83.14
i can ping the natted host on his physical address of: 10.150.251.2 however i cannot ping it on the natted address: 10.150.83.14

at this point i dont know if this is an acl issue, i have opened everything up with any any rules to test but no luck.

here are my nat lines:

nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 4 10.150.84.64 255.255.255.192
nat (Inside) 1 10.150.14.0 255.255.255.0
nat (Inside) 3 10.150.83.0 255.255.255.0
nat (Inside) 1 10.150.120.0 255.255.255.0
<--- More --->
             
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (Inside,Outside) "deleted public" 10.150.83.16 netmask 255.255.255.255
static (Inside,DMZ) 10.150.83.0 10.150.83.0 netmask 255.255.255.0
static (Inside,Inside) 10.150.120.0 10.150.83.0 netmask 255.255.255.0
static (DMZ,Inside) 10.150.83.14 10.150.251.2 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.4 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.2 netmask 255.255.255.255
static (Inside,DMZ) 10.150.120.0 10.150.120.0 netmask 255.255.255.0
0
Comment
Question by:ricardogsanchez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159831
Just curious, why do you want to ping it on it's natted address?

And second, nothing strange here. You VPN in from the outside, the static is created between the DMZ and the inside.........
0
 

Author Comment

by:ricardogsanchez
ID: 35159876
i want to ping it on the natted address because we have a dns ptr pointing to the .83.14
When employees VPN in, the shortcut on their broswer points to the name not the ip.
eg: http://server/ that they use when in the office.

i have temporarily fixed it by creating a second ptr to the 251.2 addy but im trying to come up with a more elegant solution.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160024
Ok.

Well you can't do it with a static, the 251.2 allready has one to the outside.
Is there any specific reason why you nat the 251.2 to an internal address instead of making it reachable on it's own dmz address? Then you should be able to connect to 251.2 from the inside and from the VPN thus needing only one ptr.
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 

Author Comment

by:ricardogsanchez
ID: 35160321
I agree completely, the reason is unknown. I kind of inherited this problem and my first question to them was exactly that "why is this natted to 83.14?" The said they don't know and a consultant set it up this way. I guess what I wanted to know is if it could be done even with the outside static. I still don't understand why it doesn't reply back trough the 83.14... I don't know a lot of nat. Why doesn't it?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35160354
Well as I said before: the 83.14 is natted to the inside. From a VPN you're on the outside.
0
 

Author Comment

by:ricardogsanchez
ID: 35160429
aaahhh.. i think i get it, do you mean 83.14 is only "visible" for host that are phisically on the inside?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160927
You got it :)
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month11 days, 19 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question