NAT group-nesting problem

Unanswered Question
May 30th, 2008

Hi all,

We are having a problem with exempt-NATting using an ASA 5520.

The top rule in my NAT table was as follows:

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco

That group is configured as follows:

object-group network Vanco

network-object 192.168.0.0 255.255.0.0

group-object Vanco-remote

!

object-group network Vanco-remote

network-object BE01-Vanco 255.255.255.0

network-object BE10 255.255.255.0

network-object BE10-Aastra 255.255.255.0

group-object BE-Peltracom

network-object BE11 255.255.255.0

group-object Hotcuisine-Vanco

network-object BG01 255.255.192.0

network-object PL01 255.255.192.0

network-object 10.7.0.0 255.255.192.0

!

object-group network Hotcuisine-Vanco

network-object US01 255.255.252.0

network-object BE06 255.255.255.0

network-object BE06-Aastra 255.255.255.0

network-object BE05 255.255.255.0

network-object BE05-Aastra 255.255.255.0

network-object 192.169.223.0 255.255.255.0

!

object-group network Hotcuisine

network-object 192.168.60.0 255.255.255.0

group-object Hotcuisine-Vanco

so, group nesting is as follows:

Vanco -> Vanco-remote -> Hotcuisine-Vanco

So, while the natting rule

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco

DOES NOT work, the following two lines DO work:

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote 192.168.0.0 255.255.0.0

access-list MPLSv_nat0_outbound line 2 extended permit ip object-group Vanco-remote object-group Vanco-remote

While in group Vanco includes both 192.168.0.0 255.255.0.0 and object-group Vanco-remote

Does anybody know an answer to this problem? Does NAT allow only 1 level of nesting?

thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion