Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
5
Helpful
5
Replies

Policy NAT on 5520

Go to solution
KSVY_KSVY_2
Level 1
Level 1

‎10-25-2010 02:46 PM - edited ‎03-11-2019 12:00 PM

trying to build a Policy NAT for internal source nework 172.30.243.0/24 to be NAT'ed 10.249.44.0/24 when attempting to access destination external 10.102.1.0/24 networks.  packet-tracer shows 172.30.243.0 hosts getting NAT'ed to different global-NAT policy ID. I did verify that internal and NAT'ed networks are not being used in other policy-NAT policies:

access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0

nat (inside) 8 access-list mobile

global (outside) 8 10.249.44.1 netmask 255.255.255.0

route outside 10.249.44.0 255.255.255.0 10.249.0.17

any suggestions, thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to KSVY_KSVY_2

‎10-26-2010 10:41 AM

Hello,

Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?

Gather the show xlate debug | inc 172.30.243.69 and also the logs?

Mike

Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-25-2010 03:02 PM

Hello Kevin,

Can you run the packet tracer and also do a show xlate and paste it over here?

Thanks!

Mike

Mike
0 Helpful

Go to solution
KSVY_KSVY_2
Level 1
Level 1
In response to Maykol Rojas

‎10-26-2010 09:57 AM

the intended policy NAT is used in phase 7, but then goes to a different policy NAT. Is the problem with the "top down" order of the nat policy process ids?

global (outside) 1 10.249.0.2
global (outside) 2 10.235.32.1
global (outside) 3 10.252.2.240
global (outside) 6 10.252.3.240
global (outside) 4 10.249.10.64
global (outside) 7 10.249.10.128 netmask 255.255.255.224
global (outside) 8 10.249.43.1
global (xdmz) 1 10.249.254.3
global (xxdmz) 1 192.168.112.3
nat (inside) 0 access-list pnet_nonat
nat (inside) 6 access-list DIGEX_LOADBALANCED_destinations
nat (inside) 3 access-list DIGEXdestinations
nat (inside) 2 access-list xxxxx
nat (inside) 4 access-list nga-nat
nat (inside) 7 access-list nga-nat2
nat (inside) 8 access-list att_mobile
nat (inside) 1 0.0.0.0 0.0.0.0

74136-packet-tracer.txt.zip
0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to KSVY_KSVY_2

‎10-26-2010 10:41 AM

Hello,

Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?

Gather the show xlate debug | inc 172.30.243.69 and also the logs?

Mike

Mike
0 Helpful

Go to solution
KSVY_KSVY_2
Level 1
Level 1
In response to Maykol Rojas

‎11-10-2010 08:58 AM

mike,

the packet-tracer report basically showed its "top down" process.  The way I configured the firewall was correct.... issue was with further downstream VPN IPSec router's interesting traffic ACL.  But thanks for the help.

0 Helpful

Go to solution
August Ritchie
Level 1
Level 1

‎10-25-2010 03:03 PM

I noticed that your access-list looks a bit off

access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0

I believe it should be

access-list mobile extended permit ip 172.30.243.0 255.255.255.0 10.102.1.0 255.255.255.0

To reflect the 102.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card