NAT group-nesting problem

Unanswered Question
May 30th, 2008

Hi all,


We are having a problem with exempt-NATting using an ASA 5520.

The top rule in my NAT table was as follows:

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco


That group is configured as follows:


object-group network Vanco

network-object 192.168.0.0 255.255.0.0

group-object Vanco-remote

!

object-group network Vanco-remote

network-object BE01-Vanco 255.255.255.0

network-object BE10 255.255.255.0

network-object BE10-Aastra 255.255.255.0

group-object BE-Peltracom

network-object BE11 255.255.255.0

group-object Hotcuisine-Vanco

network-object BG01 255.255.192.0

network-object PL01 255.255.192.0

network-object 10.7.0.0 255.255.192.0

!

object-group network Hotcuisine-Vanco

network-object US01 255.255.252.0

network-object BE06 255.255.255.0

network-object BE06-Aastra 255.255.255.0

network-object BE05 255.255.255.0

network-object BE05-Aastra 255.255.255.0

network-object 192.169.223.0 255.255.255.0

!

object-group network Hotcuisine

network-object 192.168.60.0 255.255.255.0

group-object Hotcuisine-Vanco


so, group nesting is as follows:

Vanco -> Vanco-remote -> Hotcuisine-Vanco


So, while the natting rule

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco

DOES NOT work, the following two lines DO work:


access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote 192.168.0.0 255.255.0.0

access-list MPLSv_nat0_outbound line 2 extended permit ip object-group Vanco-remote object-group Vanco-remote


While in group Vanco includes both 192.168.0.0 255.255.0.0 and object-group Vanco-remote



Does anybody know an answer to this problem? Does NAT allow only 1 level of nesting?


thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion