cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1272
Views
0
Helpful
24
Replies

ASA (policy) NAT help

whiteford
Level 1
Level 1

Hi,

I think this might a be policy NAT required, but I have never tried this before.

On our LAN we have a subnet 192.168.100.x/24 and this need to get to an IP range of 10.100.0.32/27 which is a remote company network, tyhe thing is they also have a network on 192.168.100.x/24 so I want 192.168.100.x/24 to be NAT'ed to 192.168.90.0/24 only if going to this netork.

Possible

24 Replies 24

andrew.prince
Level 10
Level 10

Yes this is possible - you need to use PolicyBased NAT

HTH>

Do you have an example of this.

Inside range he is on is

192.168.100.x/24 and he need to get to 10.100.0.32/27

I want him to be seen as 192.168.90.x/24 or 192.168.90.240 if easier?

Thanks

The config would be something like:-

access-list <> extended permit ip <> <

static (inside,outside) <> access-list <>

HTH>

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

static (inside,outside) 192.168.90.240 access-list policy_NAT

If there is a match in the ACL 'policy_NAT' then the 192.168.100.x address will be translated to 192.168.90.240

hi,

When adding "static (inside,outside) 192.168.90.240 access-list policy_NAT

"

I seem to get the error:

global address overlaps with mask

Check your ACL.

Use NAT instead:

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

global (outside) 1 192.168.90.240

nat (inside) 1 access-list policy_NAT

Can host 10.100.0.32 be a range 10.100.0.32/27 ?

Yes

Yes, just take out :

host 10.100.0.32

and replace with

10.100.0.32 255.255.255.224

Tried this but it didn't work, this my fault the interface where this network lives is off acn interface on the ASA called "DMZ3":

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

You need to detail the error, or why you say it didn't work.

Have you forced the connection from the 192.168.100.0/24 to the 10.100.0.32/27 network?

Does 'show xla' give you a translation?

Sorry that was very brief of me.

I have added this as you know:

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

the 192.168.100.x is on the inside and 10.100.0.32/27 is on the DMZ3 interfcae on the ASA which is were this WAN is installed to this remote network.

Let me look at the NAT translations.

Then you need to change nat (<>) 2 access-list policy-nat-2

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: