05-20-2009 01:15 PM - edited 03-11-2019 08:34 AM
Hi,
I have a Pix515 with a WAN link to a remote office. The Pix has an ethernet port that plugs into a 3550 switch which is set a s a trunk. The WAN router is plugged into VLAN 7 (subinterface).
My LAN is on 192.168.3.x/24 and I need to have the translate to something else before it gets to the remote WAN (10.100.0.32/27) as they have this LAN used elsewhere. Can I get the pix to NAT my LAN to something else liek 192.168.90.x/24?
Pix config is attached
Thanks
05-20-2009 04:39 PM
Yes you can NAT to somthing else using policy NAT.
just follow the link above.. your nat exempt acl would look something as:
access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0
static (inside,outside) 192.168.90.0 access-list policy-nat
other end of tunnel will have to also permit 192.168.90.0/24 in their tunnel policy.
Regards
05-21-2009 08:37 AM
James, is your requirements resolved with policy nat suggestions.. pls let us know to assist you fruther if problems.
Regards
05-21-2009 11:01 AM
Hi!
I've been waiting all night and day for an email notify for this post and only just got it :(
Your example looks great, however I won't be able to do until tomorrow, can't wait! I will update you.
I have never managed to get a NAT to work like this, although I have between 2 routers.
05-23-2009 12:30 PM
Hi there,
I don't think this worked for me, I can still ping 10.100.0.61, but I just think it's because I'm not getting NAT'ed so everything is the same.
All I added was:
access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.224
access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.252
I didn't add the last line you mentioned though as this isn't a VPN, just a serial connected WAN.
I have attached some more info, the Pix/ASA config doesn't have the 2 lines above btw in the attachment.
When I pinged 10.100.0.61 from my laptop on 192.168.3.x I was sure what NAT debug commands I could use so I simply ran "sh nat"
mypix# sh nat
NAT policies on Interface Inside:
match ip Inside 192.168.3.0 255.255.255.0 Outside 10.100.0.32 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 Outside 192.168.2.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 Outside 172.16.1.0 255.255.255.252
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.90.0 255.255.255.0 Outside 10.100.0.32 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 Inside 10.100.0.32 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 Inside 192.168.2.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 Inside 172.16.1.0 255.255.255.252
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.90.0 255.255.255.0 Inside 10.100.0.32 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 DMZ3 10.100.0.32 255.255.255.224
NAT exempt
translate_hits = 1, untranslate_hits = 1
match ip Inside 192.168.3.0 255.255.255.0 DMZ3 192.168.2.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 DMZ3 172.16.1.0 255.255.255.252
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.90.0 255.255.255.0 DMZ3 10.100.0.32 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 192.168.3.0 255.255.255.0 Outside 10.100.0.32 255.255.255.252
static translation to 192.168.90.0
translate_hits = 0, untranslate_hits = 0
match ip Inside any Outside any
dynamic translation to pool 1 (10.0.0.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip Inside any Inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip Inside any DMZ3 any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip Inside any Outside any
no translation group, implicit deny
policy_hits = 0
match ip Inside any DMZ3 any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface DMZ3:
match ip DMZ3 10.100.0.32 255.255.255.224 Outside 192.168.3.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip DMZ3 192.168.2.0 255.255.255.0 Outside 192.168.3.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip DMZ3 10.100.0.32 255.255.255.224 DMZ3 192.168.3.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip DMZ3 192.168.2.0 255.255.255.0 DMZ3 192.168.3.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip DMZ3 any Outside any
no translation group, implicit deny
policy_hits = 0
mypix#
Hope this helps
05-26-2009 12:32 PM
Hi,
I just wondered if you might be able to have a quick look at why my NAT isn't working?
Many thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: