ASA Nat problem from Christopher Copley on 2011-09-21 (Ccielab archives 09/2011)

From: Christopher Copley <copley.chris_at_gmail.com>
Date: Wed, 21 Sep 2011 21:10:55 -0400

Group,

I have a puzzling NAT problem with my ASA and need some help. I have a 4
interface ASA , Outside, Inside, DMZ1, & DMZ2. Going out to Outside I have
2 Lan2Lan VPNS to 2 different site. On DMZ1 the servers all have internet
access via PAT on the outside interface. I want to do the same to DMZ2
servers, but ever time I create the NAT the servers can access the internet,
but users at remote site2 loose connection to the servers. Below is the
config sections, can some one point me in the correct direction? I want
both DMZ servers to PAT to the OUTSIDE interface when they access the
internet. Can some one tell me what I am doing wrong? I am sure it is
something simple that I am blanking on.

interface GigabitEthernet0/0
description TO INTERNET
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.192

interface GigabitEthernet0/1
description TO DMZ1 SERVERS
nameif DMZ1
security-level 10
ip address 10.99.3.1 255.255.255.0

interface GigabitEthernet0/3
description TO INSIDE
nameif INSIDE
security-level 80
ip address 10.173.28.4 255.255.255.0

interface GigabitEthernet1/3
description TO DMZ2 SERVERS
nameif DMZ2
security-level 10
ip address 10.19.152.49 255.255.255.240

global (OUTSIDE) 1 interface
nat (DMZ1) 0 access-list NO-NAT
nat (DMZ1) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 1 0.0.0.0 0.0.0.0

access-list VPNSITE1 extended permit ip object-group DMZ1-NET object-group
VPN-SITE1
access-list VPNSITE2 extended permit ip object-group DMZ2-NET object-group
VPN-SITE2

access-list NO-NAT extended permit ip object-group DMZ1-NET object-group
VPN-SITE1
access-list NO-NAT extended permit ip object-group DMZ2-NET object-group
VPN-SITE2

crypto map VPN-MAP 10 match address VPNSITE1
crypto map VPN-MAP 10 set peer 10.10.164.185
crypto map VPN-MAP 10 set transform-set VPN1SET
crypto map VPN-MAP 11 match address VPNSITE2
crypto map VPN-MAP 11 set peer 10.10.198.202
crypto map VPN-MAP 11 set transform-set VPN2SET

-- 
Christopher D. Copley
copley.chris_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Wed Sep 21 2011 - 21:10:55 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART