Help with NATing issue on a Cisco ASA

Hello Experts,

I have inherited administration duties of our Cisco ASAs (we have two of them).  The ASAs are both running version 8.2.1.  Just a heads up, I’m not much of a firewall guy.  I’m terribly bad at the ASA command line and do everything through the Cisco ASDM.

The ASAs are configured as follows:

ASA1
interface GigabitEthernet0/0.2
nameif MyCompanyLAN
security-level 100
ip address 10.1.4.1 255.255.255.248
!
interface GigabitEthernet0/0.4
nameif MyCompanyDMZ
security-level 1
ip address 10.1.4.30 255.255.255.248
!
interface GigabitEthernet0/1
nameif MyCompanyQMOE
security-level 0
ip address 169.32.134.1 255.255.255.0

ASA2
interface GigabitEthernet0/0.3
nameif ISPLAN
security-level 100
ip address 10.1.4.9 255.255.255.248
!
interface GigabitEthernet0/2.1
nameif ISPT1
security-level 0
ip address 109.233.190.196 255.255.255.248
!
interface GigabitEthernet0/2.2
nameif ISPDMZ
security-level 90
ip address 10.1.6.254 255.255.255.0


I’m trying to get traffic that hits ASA1 coming in from MyCompanyQMOE to a server in the ISPDMZ.  The server’s name is DMZ-Mail and it’s IP address is 10.1.6.2.

I was told you need three things to get traffic to pass through an ASA:
1.       A route
2.      A NAT
3.      An access rule allowing the traffic to pass

Based on these three things, here is what I have configured on ASA1:
The route (this is the route I think traffic will use):
route MyCompanyLAN 10.0.0.0 255.0.0.0 10.1.4.6 1  

Note:  In the route statement above, 10.1.6.1 is an address on our core switch

The NAT
static (MyCompanyLAN,MyCompanyQMOE) 169.32.134.120 DMZ-MAIL netmask 255.255.255.255

The access rule
access-list from-out extended permit tcp host MAIL-SOURCE host DMZ-MAIL object-group DM_INLINE_TCP_13

I have this setup and when I run Packet Tracer to test everything, the packet is dropped.  The info from Packet Tracer is as follows:

Type - NAT     Subtype – rpf-check     Action – Drop

Config
Static(MyCompanyLAN,MyCompanyQMOE) 169.325.134.120 DMZ-MAIL netmask 255.255.255.255
Match ip MyCompanyLAN host DMZ-MAIL MyCompanyQMOE any
Static translation to 169.32.134.120
Translate_hits = 0, untranslated_hits = 181

Some of the names and IPs in the configurations above have been modified so that our security guys would let me post this question.  

My questions are these:
1.       What am I missing with regards to the NAT?
2.      Can I create a NAT to the 10.1.6.2 address in ASA1 even though that device is in the DMZ of ASA2?
3.      If the answer to question 2 is yes, will the summary route I posted above on ASA 1 route traffic to the internal switch?  I believe it will.

Thanks in advance for all of your help.  I’m sorry I’m not more knowledgeable with regards to the ASA stuff.

Nick
LVL 1
ndalmolin_13Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael OrtegaSales & Systems EngineerCommented:
First of all, what is the purpose of the 2 ASA's in the network. Is there HA setup on them, because it looks like they are simply running parallel to each to serve the same or similar functions to different networks when 1 could essentially do the job of both and eliminate some of the complexity of the configuration. Also, get updated the firmware asap. 8.2.1 is really old system software. Based on the configuration of your interfaces I assume this device is at least a 5510 or higher?

If you can consolidate the role of both devices onto a single one this will be a lot easier for you to administer long term. Obviously advising you on configuration will be a lot less complicated as well. What will also help is getting on 9.x system software.

MO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.