Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Failing at Identity NAT

I'm trying to disable NAT from our Linux subet (192.168.8.0) to our DMZ (192.168.5.0) but am failing miserably.

On the IT subnet (192.168.1.0) identity NAT works perfectly, the PC of my workstation translates to itself on the DMZ. So I though, easy enough, just mimic the 192.168.1.0 rules.

Well, I think I've pretty much done that but still no no avail. When I ssh from 192.168.8.19 to 192.168.5.23 it says I'm connected from 192.168.5.240 which is in the DMZ NAT pool.

Here is the grep on an sh xlate:

ASA5520# sh xlate | grep 192.168.8

Global 192.168.8.0 Local 192.168.8.0

Global 192.168.5.240 Local 192.168.8.19

I hope I'm missing something really obvious here.

Also, I know I say this in a lot of my posts but I really love these forums. I'm not great with PIX/ASA yet but hope to return the favor someday.

I've tried "clear xlate" multiple times and when I grep sh xlate again it shows no active translations for these subnets. When I SSH again it still uses the DMZ NAT pool.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Failing at Identity NAT

Hello,

Please implement following commands-

no static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.255

static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.0

Issue was with the subnet mask in the static command. Hope that helps.

Regards,

Vibhor.

2 REPLIES
Silver

Re: Failing at Identity NAT

Hello,

Please implement following commands-

no static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.255

static (inside,dmz) 192.168.8.0 192.168.8.0 netmask 255.255.255.0

Issue was with the subnet mask in the static command. Hope that helps.

Regards,

Vibhor.

Community Member

Re: Failing at Identity NAT

Oh my goodness. I can't believe I missed that. I've been staring at configs too long or something.

Works perfectly now!

This helped me recognize that there were two other statements with a /32 netmask on a 24 bit subnet.

I'm slightly embarrassed, thanks again.

143
Views
0
Helpful
2
Replies
CrearPor favor para crear contenido