RE: Problem with destinatin NAT on Haripin flow config

From: Ryan West <rwest_at_zyedge.com>
Date: Mon, 25 May 2009 13:49:23 -0400

Hi,

Are you trying to overcome an overlap address problem? Are you really sending traffic into the inside interface of your firewall and then trying to make it exit the same interface or is it coming in on one tunnel and you want it to leave out another tunnel? Can you describe your site-to-site traffic in a little better detail, including interesting traffic on both sides of the tunnel?

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Sathishkumar
Sent: Monday, May 25, 2009 12:12 PM
To: Cisco certification; Cisco certification; smorris_at_internetworkexpert.com; meer.asim_at_gmail.com; amsoares_at_netcabo.pt; mgazzaz_at_hotmail.com; adiqtanko_at_gmail.com; timcurci_at_roadrunner.com; cciebase_at_gmail.com; ccie.weaver_at_gmail.com; lhadrava_at_ipexpert.com; ravi29635_at_gmail.com
Subject: Problem with destinatin NAT on Haripin flow config

 Hi Experts,

           I am facing a problem in configuring destination static NAT when
configuring hairpin flow on the ASA firewall.
src: 10.0.0.10 dest : 192.168.1.10 ( NAT IP :172.16.10.10)

 When traffic enters the inside interface which needs to be exit the same
interface where the traffic gets into the VPN tunnel.
Hence I have configured the global configuration command to enable hairpin
flow.

*same-security-traffic permit intra-interface*

I think after arriving the trafic, it enters to the tunnel so we don't
require any NAT to allow the incoming traffic and also I don't require
source NAT, need only destination NAT.

I have tried by putting the below statement, but it seems this static
(inside,inside) works for the source NAT but it didn't work for the
destination NAT. Pls help me, Any idea would really appreciate...

 static (inside,inside) 172.18.20.10 192.168.1.10 netmask
255.255.255.255 ( not working)
 static (inside,inside) 192.168.1.10 172.18.20.10 netmask
255.255.255.255 ( not working)

Thanks & Regards
*Sathish...*

Blogs and organic groups at http://www.ccie.net
Received on Mon May 25 2009 - 13:49:23 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART