Tuesday, May 11, 2021

NATing a destination IP on an ASA for a VPN connection - Can't ping but it works. Normal?

Hey All,

I have a site with a problem right now. Long story, and I realize this isn't ideal, but for now I've bandaided it with NAT so email can flow once again.

Source is 192.168.120.57. Destination is 192.168.198.134. They access each other via site to site VPN. Packets are dropping from 120.57 to 198.134; About 14%. I've bandaided it for now by NATing 192.168.198.134 to an unused IP on another subnet that also resides in the same facility as 192.168.198.134 and is also in the VPN tunnel ACL, which for whatever reason, 120.57 has no problem reaching.

nat (inside,outside) source static obj_120.57 obj_120.57 destination static obj_198.134 obj_172.30.1.134 no-proxy-arp

That fixed the issue, BUT, from 192.168.120.57, I cannot ping the NATed IP of 198.134 (172.30.1.134). Is that by design since technically that host machine doesn't physically exist? If so, I'm good with it. Just want to make sure I have it right. When I try, I get the rpf-check failure and the asymmetric nat rules detected for forward and reverse rules message in the logs. I'm guessing that's because I'm NATing a private destination IP to another private destination IP and not an outside IP or the public interface IP.



No comments:

Post a Comment