I'm running into an issue where placement of NAT rules is breaking my port forwarding rules. I figure it's a simple mistake/oversight on my part that can probably be answered quickly without posting the config.
Three interfaces. Outside, customerA, and customerB. I have PF rules (NAT object) for customerA. After that I have two basic NAT overload rules for customerA and customerB to allow inside to outside traffic.
If I move customerB's NAT rule in front of the customerA's PF rules.. they break and the server is no longer accessible from the Internet. They are very different, non-overlapping subnets (192.168 and 172.17). Nothing shows up in the ASA logs about a denied connection or connection built at all and I cannot access the server.
Any idea why this would happen?
I can move S2S VPN NAT rules in front of the PF rules to other remote sites and the PF for customerA still works. It just doesn't like customerB's inside to outside nat overload in front of it.
Appreciate the suggestions! I can sanitize the config and post it if necessary, but NAT rules in question are as basic as explained.
EDIT:
nat (inside,outside) source static SanDiegoFO SanDiegoFO destination static HQ HQ no-proxy-arp route-lookup
!
object network TrackUserUDP
nat (inside,outside) static interface service udp 30014 30014
object network TrackUserTCP
nat (inside,outside) static interface service tcp 30014 30014
object network TrackDeviceTCP
nat (inside,outside) static interface service tcp 30015 30015
object network TrackDeviceUDP
nat (inside,outside) static interface service udp 30015 30015
!
nat (TSCM,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
object network TrackUserUDP
host 172.17..
object network TrackUserTCP
host 172.17..
object network TrackDeviceTCP
host 172.17..
object network TrackDeviceUDP
host 172.17..
TSCM interface is 192.168.. inside interface is 172.17..
No comments:
Post a Comment