So I'm hoping someone can help me out with this as I am really not understanding why this traffic is not being unNATed on this Cisco ASA 5512x
I can prove that the traffic is being sent and received from the WAN interface with a packet cap:
1: 05:53:52.236056 173.197.56.174 > 8.8.8.8: icmp: echo request
2: 05:53:52.268083 8.8.8.8 > X.X.X.X: icmp: echo reply
The same cap applied to the inside interface, however, does not show the replies:
1: 05:54:23.694711 192.168.51.2 > 8.8.8.8: icmp: echo request
2: 05:54:25.696512 192.168.51.2 > 8.8.8.8: icmp: echo request
3: 05:54:27.712426 192.168.51.2 > 8.8.8.8: icmp: echo request
4: 05:54:29.714776 192.168.51.2 > 8.8.8.8: icmp: echo request
The relevant config should be as follows:
KC-ASA(config-router)# sh run nat
nat (INSIDE,OUTSIDE) source static VPN VPN destination static VPN_HQ VPN_HQ no-proxy-arp route-lookup
!
nat (any,OUTSIDE) after-auto source dynamic any interface
KC-ASA(config-router)# sh ip ad
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 INSIDE 192.168.51.1 255.255.255.0 CONFIG
GigabitEthernet0/2 TEST 192.168.151.1 255.255.255.252 manual
GigabitEthernet0/4 OUTSIDE X.X.X.X 255.255.255.252 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 INSIDE 192.168.51.1 255.255.255.0 CONFIG
GigabitEthernet0/2 TEST 192.168.151.1 255.255.255.252 manual
GigabitEthernet0/4 OUTSIDE X.X.X.X 255.255.255.252 CONFIG
Given the simplicity of the setup I don't understand what I'm missing. Connectivity tests from the ASA to the Internet as well as the internal L2/3 infrastructure has been thoroughly tested and is working fine. The L2L VPN (referenced by the first NAT line) is even working flawlessly. Anything going from INSIDE to the Internet though, appears to be not NATed as it re enters the INSIDE interface. I can provide additional information upon request and I should mention that both of the same-security commands have been applied to this device.
No comments:
Post a Comment