[OSL | CCIE_Security] ASA address translation issue?

Thu, 27 May 2010 02:48:45 -0700 

Hi

I am working on Lab 16 task 4.3. It´s about easy vpn client on ASA outside
connecting to easy vpn server on ASA dmz. I cant get the vpn-traffic thru,
and I cant see why. I am pretty sure it´s a NAT-issue. Look:

%ASA-2-106006: Deny inbound UDP from 200.13.24.100/1096 to
200.13.24.7/500on interface outside
%ASA-2-106006: Deny inbound UDP from 200.13.24.100/1096 to
200.13.24.7/500on interface outside

This is the relevant part of the ASA config:

ASA/act(config)# sh run nat
nat (inside) 0 access-list NONAT
nat (inside) 2 access-list natR2
nat (inside) 4 access-list natR4
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 7 172.16.7.0 255.255.255.0

ASA/act(config)# sh run global
global (outside) 1 200.13.24.120-200.13.24.138
global (outside) 7 200.13.24.101-200.13.24.118
global (outside) 2 200.13.24.20
global (outside) 4 200.13.24.21
global (outside) 1 200.13.24.139
global (outside) 7 200.13.24.119

ASA/act(config)# sh run static
static (inside,outside) tcp 200.13.24.11 8080 1.1.1.1 8080 netmask
255.255.255.255
static (dmz,outside) 200.13.24.111 172.16.7.111 netmask 255.255.255.255
static (dmz,outside) 200.13.24.112 172.16.7.112 netmask 255.255.255.255
static (dmz,outside) 200.13.24.113 172.16.7.113 netmask 255.255.255.255
static (inside,outside) 200.13.24.100 172.16.11.100 netmask 255.255.255.255
static (dmz,outside) 200.13.24.7 172.16.7.7 netmask 255.255.255.255

ASA/act(config)# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask
    Method
Ethernet0/0              outside                200.13.24.9
255.255.255.0   manual
Ethernet0/1              inside                 172.16.10.9
255.255.255.0   manual
Ethernet0/2              dmz                    172.16.7.9
 255.255.255.0   manual
Ethernet0/3              FAIL                   172.16.222.1
 255.255.255.0   unset

I have an acl on outside on which I´ve added a permit ip any any log at the
end, but the traffic never hits the acl.

As far as I can see the ezvpn-server on 172.16.7.7 should be accessible from
outside by using 200.13.24.7 (which is the IP i use in the vpn client). But
all I get is the log message above...

Thanks in advance
Br Jimmy


-- 
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to