2 Replies Latest reply: Mar 14, 2012 5:50 AM by euchime RSS

    NAT with Virtual IP address

    euchime

      Greetings!

       

      I have a nagging question about NAT. I thought I nailed it down long time ago, but as you know, knowledge stales if not used frequent.

       

      I am running ASA5510 OS 8.2.2. There are Two Web Servers in DMZ with Virtual IP address 10.5.5.5. I want to NAT so users in 10.6.6.0/24 network will be NATted to 10.5.5.5 to access the 10.5.5.0/24 network. For instance, http://10.6.6.6 will be translated to 10.5.5.5

       

      The ASA has four interfaces configured (inside, outside, dmz and dept)

       

      interface GigabitEthernet0/0

      speed 1000

      duplex full

      nameif outside

      security-level 0

      ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

      !

      interface GigabitEthernet0/1

      speed 1000

      duplex full

      nameif inside

      security-level 100

      ip address 2.2.2.1 255.255.255.0 standby 2.2.2.2

      !

      interface GigabitEthernet0/2

      speed 1000

      duplex full

      nameif dept

      security-level 10

      ip address 10.6.6.1 255.255.255.128 standby 10.6.6.2

       

      interface GigabitEthernet1/1

      speed 1000

      duplex full

      nameif dmz

      security-level 50

      ip address 10.5.5.1 255.255.255.0 standby 10.5.5.2

       

       

      nat-control

      global (inside) 1 interface

      global (dept) 1 interface

      nat (inside) 0 access_nonat1

      nat (dept) 0 access_nonat2

      nat (dmz) 0 access_nonat3

       

      access-list dept_access extended permit tcp 10.6.6.0 255.255.255.0 10.5.5.0 255.255.255.0 eq 80

      static (dept,dmz) 10.5.5.5 10.6.6.6 netmask 255.255.255.255

       

      access-group in dept_access in interface dept

      access-group in dmz_access in interface dmz

      access-group in outside_access in interface outside

       

      This does not work, then when I added the following to NAT traffic from dmz back to dept, I get Asymetric NAT error, reverse path failure

      static (dmz,dept) 10.6.6.6  10.5.5.5 netmask 255.255.255.255

       

      What am I doing wrong?

       

      Thanks