Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
5
Helpful
5
Replies

Policy NAT on 5520

Go to solution
KSVY_KSVY_2
Level 1
Level 1

‎10-25-2010 02:46 PM - edited ‎03-11-2019 12:00 PM

trying to build a Policy NAT for internal source nework 172.30.243.0/24 to be NAT'ed 10.249.44.0/24 when attempting to access destination external 10.102.1.0/24 networks.  packet-tracer shows 172.30.243.0 hosts getting NAT'ed to different global-NAT policy ID. I did verify that internal and NAT'ed networks are not being used in other policy-NAT policies:

access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0

nat (inside) 8 access-list mobile

global (outside) 8 10.249.44.1 netmask 255.255.255.0

route outside 10.249.44.0 255.255.255.0 10.249.0.17

any suggestions, thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to KSVY_KSVY_2

‎10-26-2010 10:41 AM

Hello,

Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?

Gather the show xlate debug | inc 172.30.243.69 and also the logs?

Mike

Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-25-2010 03:02 PM

Hello Kevin,

Can you run the packet tracer and also do a show xlate and paste it over here?

Thanks!

Mike

Mike
0 Helpful

Go to solution
KSVY_KSVY_2
Level 1
Level 1
In response to Maykol Rojas

‎10-26-2010 09:57 AM

the intended policy NAT is used in phase 7, but then goes to a different policy NAT. Is the problem with the "top down" order of the nat policy process ids?

global (outside) 1 10.249.0.2
global (outside) 2 10.235.32.1
global (outside) 3 10.252.2.240
global (outside) 6 10.252.3.240
global (outside) 4 10.249.10.64
global (outside) 7 10.249.10.128 netmask 255.255.255.224
global (outside) 8 10.249.43.1
global (xdmz) 1 10.249.254.3
global (xxdmz) 1 192.168.112.3
nat (inside) 0 access-list pnet_nonat
nat (inside) 6 access-list DIGEX_LOADBALANCED_destinations
nat (inside) 3 access-list DIGEXdestinations
nat (inside) 2 access-list xxxxx
nat (inside) 4 access-list nga-nat
nat (inside) 7 access-list nga-nat2
nat (inside) 8 access-list att_mobile
nat (inside) 1 0.0.0.0 0.0.0.0

74136-packet-tracer.txt.zip
0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to KSVY_KSVY_2

‎10-26-2010 10:41 AM

Hello,

Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?

Gather the show xlate debug | inc 172.30.243.69 and also the logs?

Mike

Mike
0 Helpful

Go to solution
KSVY_KSVY_2
Level 1
Level 1
In response to Maykol Rojas

‎11-10-2010 08:58 AM

mike,

the packet-tracer report basically showed its "top down" process.  The way I configured the firewall was correct.... issue was with further downstream VPN IPSec router's interesting traffic ACL.  But thanks for the help.

0 Helpful

Go to solution
August Ritchie
Level 1
Level 1

‎10-25-2010 03:03 PM

I noticed that your access-list looks a bit off

access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0

I believe it should be

access-list mobile extended permit ip 172.30.243.0 255.255.255.0 10.102.1.0 255.255.255.0

To reflect the 102.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card