10-25-2010 02:46 PM - edited 03-11-2019 12:00 PM
trying to build a Policy NAT for internal source nework 172.30.243.0/24 to be NAT'ed 10.249.44.0/24 when attempting to access destination external 10.102.1.0/24 networks. packet-tracer shows 172.30.243.0 hosts getting NAT'ed to different global-NAT policy ID. I did verify that internal and NAT'ed networks are not being used in other policy-NAT policies:
access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0
nat (inside) 8 access-list mobile
global (outside) 8 10.249.44.1 netmask 255.255.255.0
route outside 10.249.44.0 255.255.255.0 10.249.0.17
any suggestions, thank you
Solved! Go to Solution.
10-26-2010 10:41 AM
Hello,
Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?
Gather the show xlate debug | inc 172.30.243.69 and also the logs?
Mike
10-25-2010 03:02 PM
Hello Kevin,
Can you run the packet tracer and also do a show xlate and paste it over here?
Thanks!
Mike
10-26-2010 09:57 AM
the intended policy NAT is used in phase 7, but then goes to a different policy NAT. Is the problem with the "top down" order of the nat policy process ids?
global (outside) 1 10.249.0.2
global (outside) 2 10.235.32.1
global (outside) 3 10.252.2.240
global (outside) 6 10.252.3.240
global (outside) 4 10.249.10.64
global (outside) 7 10.249.10.128 netmask 255.255.255.224
global (outside) 8 10.249.43.1
global (xdmz) 1 10.249.254.3
global (xxdmz) 1 192.168.112.3
nat (inside) 0 access-list pnet_nonat
nat (inside) 6 access-list DIGEX_LOADBALANCED_destinations
nat (inside) 3 access-list DIGEXdestinations
nat (inside) 2 access-list xxxxx
nat (inside) 4 access-list nga-nat
nat (inside) 7 access-list nga-nat2
nat (inside) 8 access-list att_mobile
nat (inside) 1 0.0.0.0 0.0.0.0
10-26-2010 10:41 AM
Hello,
Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?
Gather the show xlate debug | inc 172.30.243.69 and also the logs?
Mike
11-10-2010 08:58 AM
mike,
the packet-tracer report basically showed its "top down" process. The way I configured the firewall was correct.... issue was with further downstream VPN IPSec router's interesting traffic ACL. But thanks for the help.
10-25-2010 03:03 PM
I noticed that your access-list looks a bit off
access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0
I believe it should be
access-list mobile extended permit ip 172.30.243.0 255.255.255.0 10.102.1.0 255.255.255.0
To reflect the 102.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: