Hi all,
We are having a problem with exempt-NATting using an ASA 5520.
The top rule in my NAT table was as follows:
access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco
That group is configured as follows:
object-group network Vanco
network-object 192.168.0.0 255.255.0.0
group-object Vanco-remote
!
object-group network Vanco-remote
network-object BE01-Vanco 255.255.255.0
network-object BE10 255.255.255.0
network-object BE10-Aastra 255.255.255.0
group-object BE-Peltracom
network-object BE11 255.255.255.0
group-object Hotcuisine-Vanco
network-object BG01 255.255.192.0
network-object PL01 255.255.192.0
network-object 10.7.0.0 255.255.192.0
!
object-group network Hotcuisine-Vanco
network-object US01 255.255.252.0
network-object BE06 255.255.255.0
network-object BE06-Aastra 255.255.255.0
network-object BE05 255.255.255.0
network-object BE05-Aastra 255.255.255.0
network-object 192.169.223.0 255.255.255.0
!
object-group network Hotcuisine
network-object 192.168.60.0 255.255.255.0
group-object Hotcuisine-Vanco
so, group nesting is as follows:
Vanco -> Vanco-remote -> Hotcuisine-Vanco
So, while the natting rule
access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco
DOES NOT work, the following two lines DO work:
access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote 192.168.0.0 255.255.0.0
access-list MPLSv_nat0_outbound line 2 extended permit ip object-group Vanco-remote object-group Vanco-remote
While in group Vanco includes both 192.168.0.0 255.255.0.0 and object-group Vanco-remote
Does anybody know an answer to this problem? Does NAT allow only 1 level of nesting?
thanks.