Re: ASA Nat problem from Jay McMickle on 2011-09-22 (Ccielab archives 09/2011)

From: Jay McMickle <jay.mcmickle_at_yahoo.com>
Date: Thu, 22 Sep 2011 07:24:42 -0500

What NAT are you putting in that's breaking the access- the nat (dmz2) global?

Can you provide the actual access-lists? I suspect your no-nat or nat sysopt is the issue.

Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from my iPhone
http://mycciepursuit.wordpress.com

On Sep 21, 2011, at 8:10 PM, Christopher Copley <copley.chris_at_gmail.com> wrote:

> Group,
>
> I have a puzzling NAT problem with my ASA and need some help. I have a 4
> interface ASA , Outside, Inside, DMZ1, & DMZ2. Going out to Outside I have
> 2 Lan2Lan VPNS to 2 different site. On DMZ1 the servers all have internet
> access via PAT on the outside interface. I want to do the same to DMZ2
> servers, but ever time I create the NAT the servers can access the internet,
> but users at remote site2 loose connection to the servers. Below is the
> config sections, can some one point me in the correct direction? I want
> both DMZ servers to PAT to the OUTSIDE interface when they access the
> internet. Can some one tell me what I am doing wrong? I am sure it is
> something simple that I am blanking on.
>
> interface GigabitEthernet0/0
> description TO INTERNET
> nameif OUTSIDE
> security-level 0
> ip address 1.1.1.1 255.255.255.192
>
> interface GigabitEthernet0/1
> description TO DMZ1 SERVERS
> nameif DMZ1
> security-level 10
> ip address 10.99.3.1 255.255.255.0
>
> interface GigabitEthernet0/3
> description TO INSIDE
> nameif INSIDE
> security-level 80
> ip address 10.173.28.4 255.255.255.0
>
> interface GigabitEthernet1/3
> description TO DMZ2 SERVERS
> nameif DMZ2
> security-level 10
> ip address 10.19.152.49 255.255.255.240
>
> global (OUTSIDE) 1 interface
> nat (DMZ1) 0 access-list NO-NAT
> nat (DMZ1) 1 0.0.0.0 0.0.0.0
> nat (DMZ2) 1 0.0.0.0 0.0.0.0
>
>
> access-list VPNSITE1 extended permit ip object-group DMZ1-NET object-group
> VPN-SITE1
> access-list VPNSITE2 extended permit ip object-group DMZ2-NET object-group
> VPN-SITE2
>
> access-list NO-NAT extended permit ip object-group DMZ1-NET object-group
> VPN-SITE1
> access-list NO-NAT extended permit ip object-group DMZ2-NET object-group
> VPN-SITE2
>
> crypto map VPN-MAP 10 match address VPNSITE1
> crypto map VPN-MAP 10 set peer 10.10.164.185
> crypto map VPN-MAP 10 set transform-set VPN1SET
> crypto map VPN-MAP 11 match address VPNSITE2
> crypto map VPN-MAP 11 set peer 10.10.198.202
> crypto map VPN-MAP 11 set transform-set VPN2SET
>
>
>
>
> --
> Christopher D. Copley
> copley.chris_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 22 2011 - 07:24:42 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART