Solved

Double Internal NAT over VPN no ping ASA

Posted on 2011-03-17
7
812 Views
Last Modified: 2012-06-21
Hello there, i've got a tricky one to ask...
i've tried numerous things and just cannot get this to work.

Bear with me:
This is all on an ASA

We have an internal subnet: 10.150.83.x
A Vpn Subnet: 10.150.244.x
and a DMZ subnet on the ASA: 10.150.251.x

Now, heres the tricky part.
There is a particular host on the DMZ subnet that is getting natted from one internal subnet to another internal subnet: 10.150.251.2 NAT TO 10.150.83.14, The physical address on the host is 10.150.251.2

When i VPN in, i can ping eveybody and their brother on all the subnets EXCEPT for this particular 10.150.83.14
i can ping the natted host on his physical address of: 10.150.251.2 however i cannot ping it on the natted address: 10.150.83.14

at this point i dont know if this is an acl issue, i have opened everything up with any any rules to test but no luck.

here are my nat lines:

nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 4 10.150.84.64 255.255.255.192
nat (Inside) 1 10.150.14.0 255.255.255.0
nat (Inside) 3 10.150.83.0 255.255.255.0
nat (Inside) 1 10.150.120.0 255.255.255.0
<--- More --->
             
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (Inside,Outside) "deleted public" 10.150.83.16 netmask 255.255.255.255
static (Inside,DMZ) 10.150.83.0 10.150.83.0 netmask 255.255.255.0
static (Inside,Inside) 10.150.120.0 10.150.83.0 netmask 255.255.255.0
static (DMZ,Inside) 10.150.83.14 10.150.251.2 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.4 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.2 netmask 255.255.255.255
static (Inside,DMZ) 10.150.120.0 10.150.120.0 netmask 255.255.255.0
0
Comment
Question by:ricardogsanchez
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159831
Just curious, why do you want to ping it on it's natted address?

And second, nothing strange here. You VPN in from the outside, the static is created between the DMZ and the inside.........
0
 

Author Comment

by:ricardogsanchez
ID: 35159876
i want to ping it on the natted address because we have a dns ptr pointing to the .83.14
When employees VPN in, the shortcut on their broswer points to the name not the ip.
eg: http://server/ that they use when in the office.

i have temporarily fixed it by creating a second ptr to the 251.2 addy but im trying to come up with a more elegant solution.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160024
Ok.

Well you can't do it with a static, the 251.2 allready has one to the outside.
Is there any specific reason why you nat the 251.2 to an internal address instead of making it reachable on it's own dmz address? Then you should be able to connect to 251.2 from the inside and from the VPN thus needing only one ptr.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:ricardogsanchez
ID: 35160321
I agree completely, the reason is unknown. I kind of inherited this problem and my first question to them was exactly that "why is this natted to 83.14?" The said they don't know and a consultant set it up this way. I guess what I wanted to know is if it could be done even with the outside static. I still don't understand why it doesn't reply back trough the 83.14... I don't know a lot of nat. Why doesn't it?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35160354
Well as I said before: the 83.14 is natted to the inside. From a VPN you're on the outside.
0
 

Author Comment

by:ricardogsanchez
ID: 35160429
aaahhh.. i think i get it, do you mean 83.14 is only "visible" for host that are phisically on the inside?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160927
You got it :)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now