11-15-2010 04:23 PM - edited 03-11-2019 12:09 PM
Hello Everyone,
I am stuck with these two NAT statements. When I add the second NAT statement, it still uses the first NAT statement when I look at the packet-tracer input output.
There is a single "inside interface" IP Address that needs to be connected to two different VPN tunnel hosts.The Inside address is 192.168.10.20 that needs to connect to the Remote tunnel hosts 10.10.10.10 and 20.20.20.20
10.51.2.10 is the dmz NAT
10.51.2.50 is ther dmz NAT
The first nat statement is made like this
access-list OLD_VPN_192.168.10.20 extended permit ip host 192.168.10.20 10.10.10.10 255.255.255.240
static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255
The second nat statement is like this
access-list NEW_VPN_192.168.10.20 extended permit tcp host 192.168.10.20 20.20.20.20 eq 21
static (inside, dmz) 10.51.2.50 access-list NEW_VPN_192.168.10.20
When I see the output of packet-tracer, the traffic is going via 10.51.2.10 but its supposed to go via 10.51.2.50. Is there some priority here which I should be aware of?
Thanks
SId
Solved! Go to Solution.
11-15-2010 05:04 PM
Yes, you are correct.
It will match the more specific first, and if it doesn't match that particular static line, it will go down the list.
11-15-2010 04:42 PM
Can you please confirm if your first statement should be:
static (inside, dmz) 10.51.2.10 access-list OLD_VPN_192.168.10.20
instead of:
static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255
as posted earlier?
If it's "static (inside, dmz) 10.51.2.10 access-list OLD_VPN_192.168.10.20", then it is OK as long as you perform "clear xlate" after any of the static NAT changes.
11-15-2010 04:47 PM
Hi Jennifer,
Its the same as I posted. When i do a show xlate count detailed
for the first NAT statement, i get "NAT from inside:192.168.10.20 to dmz:10.51.2.10 flags s"
For the second NAT i get "TCP PAT .........." because I am allowing only FTP and ICMP
Thanks
Sid
11-15-2010 04:58 PM
In that case, please flip the static NAT statement around as it's processed in order.
I would suggest that you remove both statements, then enter the commands in this order:
static (inside, dmz) 10.51.2.50 access-list NEW_VPN_192.168.10.20
static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255
Then "clear xlate".
11-15-2010 05:03 PM
Hello Jennifer,
Thanks for the response. This solution will still allow both the NAT traffic to be sent to its destination right? Both the statics are important and for business purpose.
Thanks
Sid
11-15-2010 05:04 PM
Yes, you are correct.
It will match the more specific first, and if it doesn't match that particular static line, it will go down the list.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: