Solved: Failing at Identity NAT

jimgrumbles · ‎04-11-2008

I'm trying to disable NAT from our Linux subet (192.168.8.0) to our DMZ (192.168.5.0) but am failing miserably.

On the IT subnet (192.168.1.0) identity NAT works perfectly, the PC of my workstation translates to itself on the DMZ. So I though, easy enough, just mimic the 192.168.1.0 rules.

Well, I think I've pretty much done that but still no no avail. When I ssh from 192.168.8.19 to 192.168.5.23 it says I'm connected from 192.168.5.240 which is in the DMZ NAT pool.

Here is the grep on an sh xlate:

ASA5520# sh xlate | grep 192.168.8

Global 192.168.8.0 Local 192.168.8.0

Global 192.168.5.240 Local 192.168.8.19

I hope I'm missing something really obvious here.

Also, I know I say this in a lot of my posts but I really love these forums. I'm not great with PIX/ASA yet but hope to return the favor someday.

I've tried "clear xlate" multiple times and when I grep sh xlate again it shows no active translations for these subnets. When I SSH again it still uses the DMZ NAT pool.

vitripat · ‎04-11-2008

Hello,

Please implement following commands-

no static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.255

static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.0

Issue was with the subnet mask in the static command. Hope that helps.

Regards,

Vibhor.

View solution in original post

vitripat · ‎04-11-2008

Hello,

Please implement following commands-

no static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.255

static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.0

Issue was with the subnet mask in the static command. Hope that helps.

Regards,

Vibhor.

jimgrumbles · ‎04-11-2008

Oh my goodness. I can't believe I missed that. I've been staring at configs too long or something.

Works perfectly now!

This helped me recognize that there were two other statements with a /32 netmask on a 24 bit subnet.

I'm slightly embarrassed, thanks again.