Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3476
Views
5
Helpful
13
Replies

Nat One internal subnet to another internal IP to access the shared resources

Go to solution
raghu.jrs
Level 1
Level 1

‎10-21-2013 05:02 AM - edited ‎03-11-2019 07:54 PM

Hi

I have ASA 5510 running with 8.2.5 ios

i have two internal subnet 192.168.96/19 & 10.12.127.0/19. i can access all the shared resources which is on the datacenter from 192.168.96.0/19 subnet. i need  to access same resources which is on the datacenter from other internal subnet (10.12.127.0/19).

is ther any way, can i NAT the hole subnet (10.12.127.0/19) to my one of the internal IP(192.168.96.10) which is alrerady allowed in the data center.

Can you please provide the CLI Configuration commands,

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to raghu.jrs

‎10-22-2013 02:46 AM

Hi,

Can you provide the output of

show access-list inside_nat0_outbound

Though I presume this contains the NAT0 configuration for the network 192.68.96.0/19?

If so then to NAT the network 10.12.128.0/19 to the single IP address you would have to configure Dynamic Policy PAT

access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection

access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0

global (outside) 200 192.168.96.10

The output of the command that I asked would probably clarify this situation.

If you have a L2L VPN connection to the Datacenter then you would probably need to add this too for the "backup" interface

global (backup) 200 192.168.96.10

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-22-2013 03:11 AM

Hi,

Seems you edited your latest reply

This is the configuration that does Dynamic Policy PAT

access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection

access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0

global (outside) 200 192.168.96.10

global (backup) 200 192.168.96.10

It sets the conditions when the Dynamic PAT is applied. And in this case this Dynamic PAT is done when source network 10.12.128.0/19 connects to remote network 10.40.128.0/19. Then it will be PATed to the IP address 192.168.96.10

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to raghu.jrs

‎10-22-2013 03:23 AM

Hi,

You should not remove any configuration.

The one you mention is required for normal Internet traffic from that source network.

Please  do remember to mark a reply as the correct answer (with the button at the bottom of the reply) if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-21-2013 06:56 AM

Hi,

Is the remote destination network behind which interface? Is it behind a L2L VPN connection perhaps? Behind what interfaces are the local/internal networks located?

Are you sure about the new source network? Do you mean 10.12.128.0/19 or 10.12.96.0/19 network range as those would seem to be the network addresses with that subnet mask.

Can you tell us how the NAT is configured for your network 192.168.96.0/19 at the moment?

- Jouni

0 Helpful

Go to solution
raghu.jrs
Level 1
Level 1
In response to Jouni Forss

‎10-21-2013 07:38 AM

hi

sorry for the typo it's 10.12.128.0/19.

i need to Map the hole 10.12.128.0/19 subnet to one of my internal IP (192.168.96.10) through that i should be able  to access all the shared resources,

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to raghu.jrs

‎10-21-2013 07:53 AM

Hi,

But I need to know the current setup because this is essential to provide the correct NAT configuration.

If we are talking about a L2L VPN connection then a normal Dynamic PAT configuration might possibly even break Internet connectivity for users. If you just have another interface connected to a Datacenter then a normal Dynamic PAT configuration might be just fine.

So we need to see the current setup to know what kind of NAT we can use

- Jouni

0 Helpful

Go to solution
raghu.jrs
Level 1
Level 1
In response to Jouni Forss

‎10-22-2013 12:19 AM

Yes you are right, i can able to reach the Datacenter If i create a  PAT to one of the internal IP, but i can't access the internet from the  same network,  is there any way to resolve this issue,

below is the internal  & data center network

Internal Subnet:10.12.128.0/19

Internal Subnet: 192.168.96.0/19

Datacenter Subnet: 10.40.128.0/19

the subnet (192.168.96.0/19) is allowed in the datacenter, i need to access the datacenter resource from 10.12.128.0/19 subnet through one of my other internal IP (192.168.96.10) & also i shoud be able to access the internet in

10.12.128.0/19,  is there any way to configure both in ASA.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to raghu.jrs

‎10-22-2013 12:24 AM

Hi,

I understand your requirements but I still need to know the current setup on your firewall

Can you provide the ouput of the following commands so I can see the current NAT configurations

show run global

show run nat

show run static

Change any public IP addresses if there are any in the configurations.

- Jouni

0 Helpful

Go to solution
raghu.jrs
Level 1
Level 1
In response to Jouni Forss

‎10-22-2013 02:38 AM

show run global

global (outside) 2 interface

global (backup) 2 interface

show run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.96.0 255.255.224.0

nat (inside) 2 10.12.128.0 255.255.224.0

show run static

static (inside,outside) 2.2.2.1 192.168.96.29 netmask 255.255.255.255

static (inside,outside) 2.2.2.2 192.168.96.45 netmask 255.255.255.255

2.2.2.1 & 2.2.2.2  are public Ip's

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to raghu.jrs

‎10-22-2013 02:46 AM

Hi,

Can you provide the output of

show access-list inside_nat0_outbound

Though I presume this contains the NAT0 configuration for the network 192.68.96.0/19?

If so then to NAT the network 10.12.128.0/19 to the single IP address you would have to configure Dynamic Policy PAT

access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection

access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0

global (outside) 200 192.168.96.10

The output of the command that I asked would probably clarify this situation.

If you have a L2L VPN connection to the Datacenter then you would probably need to add this too for the "backup" interface

global (backup) 200 192.168.96.10

- Jouni

0 Helpful

Go to solution
raghu.jrs
Level 1
Level 1
In response to Jouni Forss

‎10-22-2013 03:03 AM

where do we maped the 10.12.128.0/19 subnet to 192.168.96.10

show access-list inside_nat0_outbound

  access-list inside_nat0_outbound line 1 extended permit ip 192.168.96.0 255.255.224.0 10.40.128.0 255.255.224.0 (hitcnt=0) 0xe9aed99d

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to raghu.jrs

‎10-22-2013 03:10 AM

Hi,

Seems to me that the above configurations that I suggested should work for you just fine then.

After you have configured them you can test that the Dynamic Policy PAT works by using "packet-tracer" or naturally also testing the actual connection.

packet-tracer input inside tcp 10.12.128.100 12345 10.40.128.100 80

Or change the above information if your ACLs block the above traffic

Hope this helps

Let us know if it works for you.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-22-2013 03:11 AM

Hi,

Seems you edited your latest reply

This is the configuration that does Dynamic Policy PAT

access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection

access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0

global (outside) 200 192.168.96.10

global (backup) 200 192.168.96.10

It sets the conditions when the Dynamic PAT is applied. And in this case this Dynamic PAT is done when source network 10.12.128.0/19 connects to remote network 10.40.128.0/19. Then it will be PATed to the IP address 192.168.96.10

- Jouni

0 Helpful

Go to solution
raghu.jrs
Level 1
Level 1
In response to raghu.jrs

‎10-22-2013 03:21 AM

Thank you for your support it's working, i added the below configuration

access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection

access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0

nat (inside) 200 access-list DC-POLICY-PAT

global (outside) 200 192.168.96.10

i need one calarifaction do i need to remove "nat (inside) 2 10.12.128.0 255.255.224.0" or not required

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to raghu.jrs

‎10-22-2013 03:23 AM

Hi,

You should not remove any configuration.

The one you mention is required for normal Internet traffic from that source network.

Please  do remember to mark a reply as the correct answer (with the button at the bottom of the reply) if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-22-2013 03:27 AM

Ah sorry,

I had totally missed to add the part

nat (inside) 200 access-list

Sorry about that.

- Jouni

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card