View: 664|Reply: 0

Ask questions about ASA NAT!!!

[Copy link]

0

Threads

0

Posts

0

Credits

Guest

Credits
0
Post time 22-7-2013 16:55:50 | Show all posts |Read mode


The topology is shown in the figure above


The establishment of IPSec VPN through asa505 is successful


1. You can dial in the VPN remotely and get the VPN pool address 192.168.3.10/24
2. The server IP behind the firewall gets 192.168.3.100/24 from DHCP
3. Now in order to let the server access the Internet, NAT: 192.168.3.0/24 is mapped to the WAN port in ASA, so that the server can access the Internet normally.
show nat interface inside detail  
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server interface  
    translate_ hits = 547, untranslate_ hits = 256
    Source - Origin: 192.168.3.0/24, Translated: 125.*.*.*/32



The problem is: before NAT, VPN client 192.168.3.10 can ping server 192.168.3.100
&After finishing NAT, you can‘t Ping......


Firewall log shows:Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src  outside:192.168.3.12 dst  inside:192.168.3.101 denied  due to NAT reverse path failure


You need to let the intranet server access the Internet, and then you can ping each other after VPN dial in


Please master guidance, thank you!!!!!!!!!!!!!!!!!!!!!!
Reply

Use magic Report

You have to log in before you can reply Login | Register Now

Points Rules

Quick Reply Contact us with Skype Contact us with Whastsapp Contact us with Telegram To Top Return to the list