ASA (policy) NAT help

Unanswered Question
May 8th, 2009

Hi,

I think this might a be policy NAT required, but I have never tried this before.

On our LAN we have a subnet 192.168.100.x/24 and this need to get to an IP range of 10.100.0.32/27 which is a remote company network, tyhe thing is they also have a network on 192.168.100.x/24 so I want 192.168.100.x/24 to be NAT'ed to 192.168.90.0/24 only if going to this netork.

Possible

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
whiteford Fri, 05/08/2009 - 02:50

Do you have an example of this.

Inside range he is on is

192.168.100.x/24 and he need to get to 10.100.0.32/27

I want him to be seen as 192.168.90.x/24 or 192.168.90.240 if easier?

Thanks

handsy Fri, 05/08/2009 - 03:26

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

static (inside,outside) 192.168.90.240 access-list policy_NAT

If there is a match in the ACL 'policy_NAT' then the 192.168.100.x address will be translated to 192.168.90.240

whiteford Fri, 05/08/2009 - 04:00

hi,

When adding "static (inside,outside) 192.168.90.240 access-list policy_NAT

"

I seem to get the error:

global address overlaps with mask

handsy Fri, 05/08/2009 - 04:10

Use NAT instead:

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

global (outside) 1 192.168.90.240

nat (inside) 1 access-list policy_NAT

handsy Fri, 05/08/2009 - 04:20

Yes, just take out :

host 10.100.0.32

and replace with

10.100.0.32 255.255.255.224

whiteford Fri, 05/08/2009 - 04:34

Tried this but it didn't work, this my fault the interface where this network lives is off acn interface on the ASA called "DMZ3":

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

handsy Fri, 05/08/2009 - 04:43

You need to detail the error, or why you say it didn't work.

Have you forced the connection from the 192.168.100.0/24 to the 10.100.0.32/27 network?

Does 'show xla' give you a translation?

whiteford Fri, 05/08/2009 - 04:50

Sorry that was very brief of me.

I have added this as you know:

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

the 192.168.100.x is on the inside and 10.100.0.32/27 is on the DMZ3 interfcae on the ASA which is were this WAN is installed to this remote network.

Let me look at the NAT translations.

whiteford Fri, 05/08/2009 - 05:06

I didn't see any translations:

Does this look ok to you guys, sorry for all the silly confusion I have created.

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (DMZ3) 2 access-list policy-nat-2

I went to the PC with 192.168.100.x amd pinged 10.100.0.61 which I know is live and got a request timeout.

whiteford Fri, 05/08/2009 - 05:25

192.168.90.x can ping 10.100.0.32/27 as I'm pinging from that subnet.

I guess they will just send replies to 192.168.90.240 that translates to 192.168.100.x?

Is this staic NAT better than a policy NAT?

handsy Fri, 05/08/2009 - 05:33

I think you have your bracketed interfaces the wrong way round for global and nat.

global (DMZ3)

nat (inside)

whiteford Fri, 05/08/2009 - 07:18

Sadley, I couldn't get this to work:

I tried these 2 configs:

1.)

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

When i do a packet trace I get a drop:

packet-tracer input inside icmp 192.168.100.32 0 1 1 10.100$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in Remotesvr_Servers 255.255.255.224 DMZ3

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in VLAN100 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit icmp any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 137, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

2.)

access-list inside_outbound_nat0_acl extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

access-list policy-nat-2 extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

static (inside,DMZ3) 192.168.90.240 access-list policy-nat-2

On this one I get the error "global address overlaps with mask"

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

This will not work - as you are trying to perform PAT in a Static 1:1 config, not possible.

use:-

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.0

nat (outside) 2 access-list policy-nat-2

or

access-list policy-nat-2 permit ip host 192.168.100.x 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

whiteford Fri, 05/08/2009 - 07:39

tried those 2 example of yours and tried the packet trace again:

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 145, untranslate_hits = 0

Additional Information:

whiteford Fri, 05/08/2009 - 08:00

I have removed the config that I am trying, but here is some of it, need anything else, I've had to hide some bits:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.224

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address *.*.*.* 255.255.0.0

ospf cost 10

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.4

vlan 4

nameif DMZ2_Network

security-level 15

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.6

vlan 6

nameif DMZ1_Servers

security-level 10

ip address 172.24.0.100 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.7

vlan 7

nameif DMZ3

security-level 25

ip address 192.168.2.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.9

vlan 9

nameif DMZ6_WAN

security-level 35

ip address 172.30.0.4 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.10

vlan 10

nameif DMZ10_Servers

security-level 25

ip address 192.168.15.1 255.255.255.224

ospf cost 10

!

interface GigabitEthernet0/2.300

vlan 300

nameif DMZ4

security-level 20

ip address 172.25.1.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

static (inside,outside) udp interface 9996 SVR06 9996 netmask 255.255.255.255

static (inside,outside) *.*.*.* SVR10 netmask 255.255.255.255

static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat

static (DMZ10_Servers,outside) *.*.*.* SVR05_NEW netmask 255.255.255.255

static (inside,outside) *.*.*.* 192.168.25.42 netmask 255.255.255.255

nat-control

nat (outside) 1 Office1 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ2_Network) 0 access-list DMZ2_nat0_outbound

nat (DMZ2_Network) 1 0.0.0.0 0.0.0.0

nat (DMZ1_Servers) 0 access-list DMZ1_Servers_nat0_outbound

nat (DMZ1_Servers) 0 access-list DMZ_inbound_nat0_acl outside

nat (DMZ1_Servers) 1 0.0.0.0 0.0.0.0

nat (DMZ3) 0 access-list DMZ3_nat0_outbound

nat (DMZ3) 1 0.0.0.0 0.0.0.0

nat (DMZ6_WAN) 0 access-list DMZ6_WAN_nat0_outbound

nat (DMZ6_WAN) 1 0.0.0.0 0.0.0.0

nat (DMZ10_Servers) 0 access-list DMZ10_Servers_nat0_outbound

nat (DMZ10_Servers) 1 0.0.0.0 0.0.0.0

nat (DMZ4) 0 access-list DMZ4_outbound_nat0_acl

nat (DMZ4) 1 0.0.0.0 0.0.0.0

static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat

no crypto isakmp nat-traversal

Actions

This Discussion