Solved

Double Internal NAT over VPN no ping ASA

Posted on 2011-03-17
7
818 Views
Last Modified: 2012-06-21
Hello there, i've got a tricky one to ask...
i've tried numerous things and just cannot get this to work.

Bear with me:
This is all on an ASA

We have an internal subnet: 10.150.83.x
A Vpn Subnet: 10.150.244.x
and a DMZ subnet on the ASA: 10.150.251.x

Now, heres the tricky part.
There is a particular host on the DMZ subnet that is getting natted from one internal subnet to another internal subnet: 10.150.251.2 NAT TO 10.150.83.14, The physical address on the host is 10.150.251.2

When i VPN in, i can ping eveybody and their brother on all the subnets EXCEPT for this particular 10.150.83.14
i can ping the natted host on his physical address of: 10.150.251.2 however i cannot ping it on the natted address: 10.150.83.14

at this point i dont know if this is an acl issue, i have opened everything up with any any rules to test but no luck.

here are my nat lines:

nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 4 10.150.84.64 255.255.255.192
nat (Inside) 1 10.150.14.0 255.255.255.0
nat (Inside) 3 10.150.83.0 255.255.255.0
nat (Inside) 1 10.150.120.0 255.255.255.0
<--- More --->
             
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (Inside,Outside) "deleted public" 10.150.83.16 netmask 255.255.255.255
static (Inside,DMZ) 10.150.83.0 10.150.83.0 netmask 255.255.255.0
static (Inside,Inside) 10.150.120.0 10.150.83.0 netmask 255.255.255.0
static (DMZ,Inside) 10.150.83.14 10.150.251.2 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.4 netmask 255.255.255.255
static (DMZ,Outside) "deleted public" 10.150.251.2 netmask 255.255.255.255
static (Inside,DMZ) 10.150.120.0 10.150.120.0 netmask 255.255.255.0
0
Comment
Question by:ricardogsanchez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159831
Just curious, why do you want to ping it on it's natted address?

And second, nothing strange here. You VPN in from the outside, the static is created between the DMZ and the inside.........
0
 

Author Comment

by:ricardogsanchez
ID: 35159876
i want to ping it on the natted address because we have a dns ptr pointing to the .83.14
When employees VPN in, the shortcut on their broswer points to the name not the ip.
eg: http://server/ that they use when in the office.

i have temporarily fixed it by creating a second ptr to the 251.2 addy but im trying to come up with a more elegant solution.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160024
Ok.

Well you can't do it with a static, the 251.2 allready has one to the outside.
Is there any specific reason why you nat the 251.2 to an internal address instead of making it reachable on it's own dmz address? Then you should be able to connect to 251.2 from the inside and from the VPN thus needing only one ptr.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:ricardogsanchez
ID: 35160321
I agree completely, the reason is unknown. I kind of inherited this problem and my first question to them was exactly that "why is this natted to 83.14?" The said they don't know and a consultant set it up this way. I guess what I wanted to know is if it could be done even with the outside static. I still don't understand why it doesn't reply back trough the 83.14... I don't know a lot of nat. Why doesn't it?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35160354
Well as I said before: the 83.14 is natted to the inside. From a VPN you're on the outside.
0
 

Author Comment

by:ricardogsanchez
ID: 35160429
aaahhh.. i think i get it, do you mean 83.14 is only "visible" for host that are phisically on the inside?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160927
You got it :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question