Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy Nat ASA 8.6(1)

Going from a Pix 515E to an ASA 5515 and trying to mirror the configuration.  I believe I have most of it correct, but this one issue persists that I'm trying to get resolved.  There are a number of vpn tunnels that terminate on the Pix and on some of them the remote party has an overlapping subnet so to remedy this the following configuration was used:

 

global (outside) 3 192.168.201.0
global (outside) 4 192.168.205.0

nat (inside) 4 access-list NAT1 0 0
nat (inside) 3 access-list NAT 0 0

access-list NAT permit ip 192.168.101.0 255.255.255.0 host 10.100.3.215
access-list NAT1 permit ip 192.168.105.0 255.255.255.0 host 10.100.3.215

 

This works fine.  On the ASA I tried using this:

object network obj-10.100.3.215

 host 10.100.3.215
object-group network obj-192.168.105.0_2
 network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
 network-object 192.168.101.0 255.255.255.0


nat (inside,outside) source dynamic obj-192.168.101.0_2 obj-192.168.201.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source dynamic obj-192.168.105.0_2 obj-192.168.205.0_3 destination static obj-10.100.3.215 obj-10.100.3.215

 

That didn't work (the tunnel was up because I have a number of other subnets that were able to access the remote party, but not the 2 that need to be nat'd).  I cleared this and tried it again w/ the following:

 

object network obj-10.100.3.215

host 10.100.3.215

object-group network obj-192.168.205.0_2
 network-object 192.168.205.0 255.255.255.0
object-group network obj-192.168.201.0_2
 network-object 192.168.201.0 255.255.255.0
object-group network obj-192.168.105.0_2
 network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
 network-object 192.168.101.0 255.255.255.0

nat (inside,outside) source static obj-192.168.101.0_2 obj-192.168.105.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source static obj-192.168.105.0_2 obj-192.168.205.0_2 destination static obj-10.100.3.215 obj-10.100.3.215

 

If I do a packet-tracer trace it appears to nat properly to a 205.x address, but when I actually attempt it from the pc it fails.  Is the syntax correct?  I asked for a trace-route from the pc at the time it failed but it wasn't provided.

1 REPLY
New Member

I am trying to replace an asa

I am trying to replace an asa 5510 with an asa 5515x.  When I try the same nat command as listed above I get this message

"ERROR: This syntax of nat command has been deprecated."

Is there an alternative to nat to an access-list?

 

Thanks.

64
Views
0
Helpful
1
Replies
CreatePlease to create content