Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA (policy) NAT help

Hi,

I think this might a be policy NAT required, but I have never tried this before.

On our LAN we have a subnet 192.168.100.x/24 and this need to get to an IP range of 10.100.0.32/27 which is a remote company network, tyhe thing is they also have a network on 192.168.100.x/24 so I want 192.168.100.x/24 to be NAT'ed to 192.168.90.0/24 only if going to this netork.

Possible

24 REPLIES

Re: ASA (policy) NAT help

Yes this is possible - you need to use PolicyBased NAT

HTH>

New Member

Re: ASA (policy) NAT help

Do you have an example of this.

Inside range he is on is

192.168.100.x/24 and he need to get to 10.100.0.32/27

I want him to be seen as 192.168.90.x/24 or 192.168.90.240 if easier?

Thanks

Re: ASA (policy) NAT help

The config would be something like:-

access-list <> extended permit ip <> <

static (inside,outside) <> access-list <>

HTH>

New Member

Re: ASA (policy) NAT help

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

static (inside,outside) 192.168.90.240 access-list policy_NAT

If there is a match in the ACL 'policy_NAT' then the 192.168.100.x address will be translated to 192.168.90.240

New Member

Re: ASA (policy) NAT help

hi,

When adding "static (inside,outside) 192.168.90.240 access-list policy_NAT

"

I seem to get the error:

global address overlaps with mask

Re: ASA (policy) NAT help

Check your ACL.

New Member

Re: ASA (policy) NAT help

Use NAT instead:

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

global (outside) 1 192.168.90.240

nat (inside) 1 access-list policy_NAT

New Member

Re: ASA (policy) NAT help

Can host 10.100.0.32 be a range 10.100.0.32/27 ?

Re: ASA (policy) NAT help

Yes

New Member

Re: ASA (policy) NAT help

Yes, just take out :

host 10.100.0.32

and replace with

10.100.0.32 255.255.255.224

New Member

Re: ASA (policy) NAT help

Tried this but it didn't work, this my fault the interface where this network lives is off acn interface on the ASA called "DMZ3":

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

New Member

Re: ASA (policy) NAT help

You need to detail the error, or why you say it didn't work.

Have you forced the connection from the 192.168.100.0/24 to the 10.100.0.32/27 network?

Does 'show xla' give you a translation?

New Member

Re: ASA (policy) NAT help

Sorry that was very brief of me.

I have added this as you know:

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

the 192.168.100.x is on the inside and 10.100.0.32/27 is on the DMZ3 interfcae on the ASA which is were this WAN is installed to this remote network.

Let me look at the NAT translations.

Re: ASA (policy) NAT help

Then you need to change nat (<>) 2 access-list policy-nat-2

New Member

Re: ASA (policy) NAT help

I didn't see any translations:

Does this look ok to you guys, sorry for all the silly confusion I have created.

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (DMZ3) 2 access-list policy-nat-2

I went to the PC with 192.168.100.x amd pinged 10.100.0.61 which I know is live and got a request timeout.

Re: ASA (policy) NAT help

Config looks OK - can you confirm that layer 3 deivces on the 10.100.0.32/27 subnet know "how" to get "back" to 192.168.90.x thru 192.168.100.x ?

Are you allowing icmp - echo-replies back into the outside interface of the ASA?

New Member

Re: ASA (policy) NAT help

192.168.90.x can ping 10.100.0.32/27 as I'm pinging from that subnet.

I guess they will just send replies to 192.168.90.240 that translates to 192.168.100.x?

Is this staic NAT better than a policy NAT?

New Member

Re: ASA (policy) NAT help

I think you have your bracketed interfaces the wrong way round for global and nat.

global (DMZ3)

nat (inside)

New Member

Re: ASA (policy) NAT help

Sadley, I couldn't get this to work:

I tried these 2 configs:

1.)

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

When i do a packet trace I get a drop:

packet-tracer input inside icmp 192.168.100.32 0 1 1 10.100$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in Remotesvr_Servers 255.255.255.224 DMZ3

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in VLAN100 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit icmp any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 137, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

2.)

access-list inside_outbound_nat0_acl extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

access-list policy-nat-2 extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

static (inside,DMZ3) 192.168.90.240 access-list policy-nat-2

On this one I get the error "global address overlaps with mask"

Re: ASA (policy) NAT help

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

This will not work - as you are trying to perform PAT in a Static 1:1 config, not possible.

use:-

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.0

nat (outside) 2 access-list policy-nat-2

or

access-list policy-nat-2 permit ip host 192.168.100.x 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

New Member

Re: ASA (policy) NAT help

tried those 2 example of yours and tried the packet trace again:

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 145, untranslate_hits = 0

Additional Information:

Re: ASA (policy) NAT help

Post all your current NAT/Interface config.

New Member

Re: ASA (policy) NAT help

I have removed the config that I am trying, but here is some of it, need anything else, I've had to hide some bits:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.224

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address *.*.*.* 255.255.0.0

ospf cost 10

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.4

vlan 4

nameif DMZ2_Network

security-level 15

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.6

vlan 6

nameif DMZ1_Servers

security-level 10

ip address 172.24.0.100 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.7

vlan 7

nameif DMZ3

security-level 25

ip address 192.168.2.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.9

vlan 9

nameif DMZ6_WAN

security-level 35

ip address 172.30.0.4 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.10

vlan 10

nameif DMZ10_Servers

security-level 25

ip address 192.168.15.1 255.255.255.224

ospf cost 10

!

interface GigabitEthernet0/2.300

vlan 300

nameif DMZ4

security-level 20

ip address 172.25.1.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

static (inside,outside) udp interface 9996 SVR06 9996 netmask 255.255.255.255

static (inside,outside) *.*.*.* SVR10 netmask 255.255.255.255

static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat

static (DMZ10_Servers,outside) *.*.*.* SVR05_NEW netmask 255.255.255.255

static (inside,outside) *.*.*.* 192.168.25.42 netmask 255.255.255.255

nat-control

nat (outside) 1 Office1 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ2_Network) 0 access-list DMZ2_nat0_outbound

nat (DMZ2_Network) 1 0.0.0.0 0.0.0.0

nat (DMZ1_Servers) 0 access-list DMZ1_Servers_nat0_outbound

nat (DMZ1_Servers) 0 access-list DMZ_inbound_nat0_acl outside

nat (DMZ1_Servers) 1 0.0.0.0 0.0.0.0

nat (DMZ3) 0 access-list DMZ3_nat0_outbound

nat (DMZ3) 1 0.0.0.0 0.0.0.0

nat (DMZ6_WAN) 0 access-list DMZ6_WAN_nat0_outbound

nat (DMZ6_WAN) 1 0.0.0.0 0.0.0.0

nat (DMZ10_Servers) 0 access-list DMZ10_Servers_nat0_outbound

nat (DMZ10_Servers) 1 0.0.0.0 0.0.0.0

nat (DMZ4) 0 access-list DMZ4_outbound_nat0_acl

nat (DMZ4) 1 0.0.0.0 0.0.0.0

static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat

no crypto isakmp nat-traversal

Re: ASA (policy) NAT help

So were is the desination? and what interface is the policy nat required from?

362
Views
0
Helpful
24
Replies