global NAT - now need some dynamic policy NAT

AndyWaldoz · ‎05-08-2008

Hi,

We've got a global NAT rule

static (inside,outside) interior-192.168.0.0 interior-192.168 netmask 255.255.0.0

But now we need some dynamic policy NAT:

access-list inside_nat_outbound line 1 extended permit ip 192.168.0.0 255.255.0.0 host 217.77.27.188

global (outside) 1 193.14.22.1-193.14.22.10 netmask 255.0.0.0

The problem is, when we connect to the external network where we need to be natted (217.77.27.188) we always fall on the global NAT rule. Which is needed for other purpose.

Is there a way to use the global NAT rule but also use a dynamic policy NAT but with same networks?

searchrail

Collin Clark · ‎05-08-2008

I would like to verify, your internal users need to access resources on the 'outside'. There are two IP ranges on the outside, 193.14.22.x and 217.77.27.x. User need to access both, but right now they can only access 193.14.22.x resources because the 217.77.27.x NAT never get used. Is that correct? Are either of these internet connections or are they partner/B2B type connections?

tj.mitchell · ‎05-08-2008

where is the NAT (inside) 1 command to match to the ACL that you created?

AndyWaldoz · ‎05-09-2008

nat (inside) 1 access-list inside_nat_outbound tcp 0 0 udp 0

Maybe clarify some more.

When the user need to access 217.77.27.188 (partner connection) they need te use a NAT pool (193.14.22.1-193.14.22.10)

But the users also need to access the outside interface un-NATTED. The problem is that they always access the outside un-NATTED and the dynamic nat rule is not used when they access

217.77.27.188

Collin Clark · ‎05-09-2008

As far as I know you can not set NAT by destination address. I would create another interface for the partner connection.

tj.mitchell · ‎05-09-2008

Ok, I see the problem. It's the order of commands for how NAT is setup..

Order is this:

NAT Exemption

Static NAT/Static PAT

Policy NAT

Regular dynamic NAT

For all the regular traffic your at the static NAT, by the policy your configuring is at Policy NAT.

you can either configure static policy NAT or change the global static nat that you have to a dynamic NAT policy to move it farther down the food chain..

Let me know if this resolves what you are looking to do..

Thanks

AndyWaldoz · ‎05-11-2008

thx for the answers but I think I found the solution.

I was working on an ASA that had the config of an old PIX.

From the things I've read (I'am not a PIX/ASA expert) in the old version of PIX you need a NAT rule for all the traffic that to go through the PIX

Since version 7.0 this is not needed with the 'no nat-control' command.

So traffic will go through the ASA un-natted. I can suspend all the most of the old static NAT rules and after that add the dynamic rule.

gonna try that next week...