Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1996
Views
0
Helpful
0
Replies

Issues with source NAT configuration in VNMC

koushik1234
Level 1
Level 1

‎03-06-2013 09:03 AM - edited ‎03-01-2019 07:16 AM

Before coming to the questions/doubts let me explain the ASA 1000v setup that I have

ASA 1000v

-          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)

-          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)

On ASA running ‘show route’ outputs following:

C             10.1.1.0 255.255.255.0 is directly connected, esp-in

C             10.147.28.0 255.255.255.0 is directly connected, management

C             10.147.30.0 255.255.255.0 is directly connected, esp-out

S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out

On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)

Now I want to configure the following scenarios through VNMC:

1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC

ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2

10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object

pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;

ERROR:  interface keyword is not allowed when translated interface is any;

2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:

ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;

ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;

Version details

VNMC 2.0

ASA 1000v version

Cisco Adaptive Security Appliance Software Version 8.7(1)1

Device Manager Version 6.7(1)

Questions:

-          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?

-      Why is there an error on reassigning asa 1000v to the edge firewall

-          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?

Thanks,

Koushik

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents