cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
513
Views
0
Helpful
5
Replies

NAT help with overlapping network

jamesgonzo
Level 1
Level 1

Hi,

I have a Pix515 with a WAN link to a remote office. The Pix has an ethernet port that plugs into a 3550 switch which is set a s a trunk. The WAN router is plugged into VLAN 7 (subinterface).

My LAN is on 192.168.3.x/24 and I need to have the translate to something else before it gets to the remote WAN (10.100.0.32/27) as they have this LAN used elsewhere. Can I get the pix to NAT my LAN to something else liek 192.168.90.x/24?

Pix config is attached

Thanks

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

Yes you can NAT to somthing else using policy NAT.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

just follow the link above.. your nat exempt acl would look something as:

access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0

static (inside,outside) 192.168.90.0 access-list policy-nat

other end of tunnel will have to also permit 192.168.90.0/24 in their tunnel policy.

Regards

Jorge Rodriguez

James, is your requirements resolved with policy nat suggestions.. pls let us know to assist you fruther if problems.

Regards

Jorge Rodriguez

Hi!

I've been waiting all night and day for an email notify for this post and only just got it :(

Your example looks great, however I won't be able to do until tomorrow, can't wait! I will update you.

I have never managed to get a NAT to work like this, although I have between 2 routers.

Hi there,

I don't think this worked for me, I can still ping 10.100.0.61, but I just think it's because I'm not getting NAT'ed so everything is the same.

All I added was:

access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.224

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.252

I didn't add the last line you mentioned though as this isn't a VPN, just a serial connected WAN.

I have attached some more info, the Pix/ASA config doesn't have the 2 lines above btw in the attachment.

When I pinged 10.100.0.61 from my laptop on 192.168.3.x I was sure what NAT debug commands I could use so I simply ran "sh nat"

mypix# sh nat

NAT policies on Interface Inside:

match ip Inside 192.168.3.0 255.255.255.0 Outside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Outside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Outside 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.90.0 255.255.255.0 Outside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.90.0 255.255.255.0 Inside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 1, untranslate_hits = 1

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.90.0 255.255.255.0 DMZ3 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Outside 10.100.0.32 255.255.255.252

static translation to 192.168.90.0

translate_hits = 0, untranslate_hits = 0

match ip Inside any Outside any

dynamic translation to pool 1 (10.0.0.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip Inside any Inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip Inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip Inside any Outside any

no translation group, implicit deny

policy_hits = 0

match ip Inside any DMZ3 any

no translation group, implicit deny

policy_hits = 0

NAT policies on Interface DMZ3:

match ip DMZ3 10.100.0.32 255.255.255.224 Outside 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 192.168.2.0 255.255.255.0 Outside 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 10.100.0.32 255.255.255.224 DMZ3 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 192.168.2.0 255.255.255.0 DMZ3 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 any Outside any

no translation group, implicit deny

policy_hits = 0

mypix#

Hope this helps

Hi,

I just wondered if you might be able to have a quick look at why my NAT isn't working?

Many thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: