Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Policy NAT on 5520

trying to build a Policy NAT for internal source nework 172.30.243.0/24 to be NAT'ed 10.249.44.0/24 when attempting to access destination external 10.102.1.0/24 networks.  packet-tracer shows 172.30.243.0 hosts getting NAT'ed to different global-NAT policy ID. I did verify that internal and NAT'ed networks are not being used in other policy-NAT policies:

access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0

nat (inside) 8 access-list mobile

global (outside) 8 10.249.44.1 netmask 255.255.255.0

route outside 10.249.44.0 255.255.255.0 10.249.0.17

any suggestions, thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Policy NAT on 5520

Hello,

Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?

Gather the show xlate debug | inc 172.30.243.69 and also the logs?

Mike

Mike
5 REPLIES
Cisco Employee

Re: Policy NAT on 5520

Hello Kevin,

Can you run the packet tracer and also do a show xlate and paste it over here?

Thanks!

Mike

Mike
New Member

Re: Policy NAT on 5520

the intended policy NAT is used in phase 7, but then goes to a different policy NAT. Is the problem with the "top down" order of the nat policy process ids?

global (outside) 1 10.249.0.2
global (outside) 2 10.235.32.1
global (outside) 3 10.252.2.240
global (outside) 6 10.252.3.240
global (outside) 4 10.249.10.64
global (outside) 7 10.249.10.128 netmask 255.255.255.224
global (outside) 8 10.249.43.1
global (xdmz) 1 10.249.254.3
global (xxdmz) 1 192.168.112.3
nat (inside) 0 access-list pnet_nonat
nat (inside) 6 access-list DIGEX_LOADBALANCED_destinations
nat (inside) 3 access-list DIGEXdestinations
nat (inside) 2 access-list xxxxx
nat (inside) 4 access-list nga-nat
nat (inside) 7 access-list nga-nat2
nat (inside) 8 access-list att_mobile
nat (inside) 1 0.0.0.0 0.0.0.0

Cisco Employee

Re: Policy NAT on 5520

Hello,

Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?

Gather the show xlate debug | inc 172.30.243.69 and also the logs?

Mike

Mike
New Member

Re: Policy NAT on 5520

mike,

the packet-tracer report basically showed its "top down" process.  The way I configured the firewall was correct.... issue was with further downstream VPN IPSec router's interesting traffic ACL.  But thanks for the help.

New Member

Re: Policy NAT on 5520

I noticed that your access-list looks a bit off

access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0

I believe it should be

access-list mobile extended permit ip 172.30.243.0 255.255.255.0 10.102.1.0 255.255.255.0

To reflect the 102.

221
Views
5
Helpful
5
Replies
CreatePlease to create content