Hi guys, Im a little confused about my config for an ASA I have here, I was hoping someone could point me in the right direction.
Its a fairly standard setup:
Internal dmz and outside interfaces.
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 116.X.X.41 255.255.255.252
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.X.X.20 255.255.255.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.X.X.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.X.X.0 255.255.255.0
nat (management) 0 access-list Inside_nat0_outbound
nat (management) 1 192.10.201.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 116.X.X.42 1 (Next Hop BGP Router)
I can provide other parts of config if needed
The problem seems to be that when I route traffic to the inside interface of the ASA, unless i specify a route for its destination it attempts to translate from the inside interface back to the inside interface..
For example we have some phone software that requires to get to 210.50.23.6
We dont have a default route out to the internet, but I distributed a static route at our core to pass this traffic to the ASA. From my syslog I could see the following:
portmap translation creation failed for tcp src inside:192.X.X.214/1537 dst inside:210.50.23.6/2208
I could see from this message it was trying to translate to the same interface... So I added a specific route for 210.50.23.6
route outside 210.50.23.6 255.255.255.255 116.X.X.42 1
And it started working:
Built outbound TCP connection 1091413 for outside:210.50.23.6/2208 (210.50.23.6/2208) to inside:192.X.X.214/1546 (116.X.X.41/40740)
So my question is why doesnt the global rule combined with the default route (route outside 0.0.0.0 0.0.0.0 116.X.X.42 1) handle this?
Im guessing that my lazy internal nat rule (nat (inside) 1 0.0.0.0 0.0.0.0) is causing problems?
Any help with this would be much appreciated! Thanks!
Its a fairly standard setup:
Internal dmz and outside interfaces.
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 116.X.X.41 255.255.255.252
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.X.X.20 255.255.255.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.X.X.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.X.X.0 255.255.255.0
nat (management) 0 access-list Inside_nat0_outbound
nat (management) 1 192.10.201.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 116.X.X.42 1 (Next Hop BGP Router)
I can provide other parts of config if needed
The problem seems to be that when I route traffic to the inside interface of the ASA, unless i specify a route for its destination it attempts to translate from the inside interface back to the inside interface..
For example we have some phone software that requires to get to 210.50.23.6
We dont have a default route out to the internet, but I distributed a static route at our core to pass this traffic to the ASA. From my syslog I could see the following:
portmap translation creation failed for tcp src inside:192.X.X.214/1537 dst inside:210.50.23.6/2208
I could see from this message it was trying to translate to the same interface... So I added a specific route for 210.50.23.6
route outside 210.50.23.6 255.255.255.255 116.X.X.42 1
And it started working:
Built outbound TCP connection 1091413 for outside:210.50.23.6/2208 (210.50.23.6/2208) to inside:192.X.X.214/1546 (116.X.X.41/40740)
So my question is why doesnt the global rule combined with the default route (route outside 0.0.0.0 0.0.0.0 116.X.X.42 1) handle this?
Im guessing that my lazy internal nat rule (nat (inside) 1 0.0.0.0 0.0.0.0) is causing problems?
Any help with this would be much appreciated! Thanks!