Hi,
I've recently acquired ownership of our networking equipment while a new Network Engineer is being hired and I'm having a bit of trouble around NATing. Specifically I've just linked two sites via an ASA L2L tunnel which works mostly fine however there is a quirk.
The two networks can connect to eachother without incident but you cannot ping/ssh the DMZ interface (used for management) on Network A's ASA from Network B's ASA and vice versa. All VMs in each network are pinging eachother without issue.
See below:
Network A: networka-1# sh run interface
!
interface Ethernet1/1
description DMZ
nameif DMZ
security-level 50
ip address xxx.xxx.50.107 255.255.255.248 standby xxx.xxx.xxx.108
!
[...]
interface Ethernet1/5.50
description INET_COMCAST
vlan 50
nameif INET_COMCAST
security-level 0
ip address xxx.xxx.xxx.183 255.255.255.252
!
networka-1# sh run nat
nat (any,INET_COMCAST) source static netobj_local_network netobj_local_network destination static netobj_dr-network netobj_dr-network no-proxy-arp route-lookup
nat (any,INET_COMCAST) source static netobj_local_network netobj_local_network destination static netobj_client-vpn netobj_client-vpn no-proxy-arp route-lookup
!
Network B: networkb-1# sh run interface !
interface Ethernet1/1
description DMZ
nameif DMZ
security-level 50
ip address xxx.xxx.150.107 255.255.255.248
!
[...]
interface Ethernet1/5.50
description INET_COMCAST
vlan 50
nameif INET_COMCAST
security-level 0
ip address xxx.xxx.xxx.201 255.255.255.252
!
networkb-1# sh run nat
nat (any,INET_COMCAST) source static netobj_local_network netobj_local_network destination static netobj_dr-network netobj_dr-network no-proxy-arp route-lookup
nat (any,INET_COMCAST) source static netobj_local_network netobj_local_network destination static netobj_client-vpn netobj_client-vpn no-proxy-arp route-lookup
No comments:
Post a Comment