Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
2
Replies

Twice NAT not working

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-23-2012 03:40 PM - edited ‎03-11-2019 04:45 PM

Hi,

Our NOC is trying to configure a site to site tunnel to one of our customers. The tunnel is up and operational, however we can't get our NAT rules to match what we want.

We are running ASA version 8.4(3)

The traffic is sourced from 172.16.1.50 (inside1) and destined to192.168.2.9 (outside), the nat configuration is posted below:

NOC-ASA5510-01# show run nat

nat (inside1,inside2) source static ng-noc-networks ng-noc-networks destination static ng-inside2-networks ng-inside2-networks

nat (inside1,outside) source static test test-EXT destination static otherside otherside

object network obj_any

nat (inside1,outside) dynamic interface dns

object network servers-noc

nat (inside1,outside) static 192.168.1.68

Here is the output from the show nat detailed:

NOC-ASA5510-01# show nat detail

Manual NAT Policies (Section 1)

I left off entry 1 but it doesnt have any translated hits either


2 (inside1) to (outside) source static test test-EXT   destination static otherside otherside

    translate_hits = 0, untranslate_hits = 624

    Source - Origin: 172.16.1.50/32, Translated: 192.168.1.67/32

    Destination - Origin:192.168.2.9/32, Translated:192.168.2.9/32

Auto NAT Policies (Section 2)

1 (inside1) to (outside) source static servers-noc 192.168.1.68 

    translate_hits = 0, untranslate_hits = 187

    Source - Origin: 172.16.1.101/32, Translated: 192.168.1.68/32

2 (inside1) to (outside) source dynamic obj_any interface   dns

    translate_hits = 58417, untranslate_hits = 1511

    Source - Origin: 0.0.0.0/0, Translated: 192.168.1.66/29

Here are the network objects:

object network test

host 172.16.1.50

object network test-EXT

host 192.168.1.67

object network otherside

host 192.168.2.9

Here is the vpn configuration:

crypto map outside_map 1 match address tunnelcrypto

crypto map outside_map 1 set peer 192.168.3.4

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

access-list tunnelcrypto extended permit ip host 192.168.1.67 host 192.168.2.9

access-list tunnelcrypto extended permit ip host192.168.2.9 host 192.168.1.67

When we run packet capture using icmp code 8 type 0 (echo request) it matches an object nat statement and not the twice nat.

NOC-ASA5510-01# packet-tracer input inside1 icmp 172.16.1.50 8 0 192.168.2.9 detailed

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside1,outside) dynamic interface dns

Additional Information:

Dynamic translate 172.16.1.50/10 to 192.168.1.66/10

Thanks,

Tarik Admani

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-23-2012 08:33 PM

   Hello Tarik,

Just to clean the config:

On the crypto ACL you do not need to set the returning traffic

"access-list tunnelcrypto extended permit ip host192.168.2.9 host 192.168.1.67"

Now regarding the NAT problem would you mind to do the following:

object network obj_any

No nat (inside1,outside) dynamic interface dns

Then create an object for the internal subnet

object network Internal_Subnet

subnet x.x.x.x x.x.x.x.x

nat (inside,outside) source dynamic Internal_Subnet interface

Do a clear xlate and finally try the packet tracer and provide me the output please

Regards!

Julio

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-23-2012 08:33 PM

   Hello Tarik,

Just to clean the config:

On the crypto ACL you do not need to set the returning traffic

"access-list tunnelcrypto extended permit ip host192.168.2.9 host 192.168.1.67"

Now regarding the NAT problem would you mind to do the following:

object network obj_any

No nat (inside1,outside) dynamic interface dns

Then create an object for the internal subnet

object network Internal_Subnet

subnet x.x.x.x x.x.x.x.x

nat (inside,outside) source dynamic Internal_Subnet interface

Do a clear xlate and finally try the packet tracer and provide me the output please

Regards!

Julio

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Julio Carvajal

‎08-24-2012 10:31 AM

Thanks Julio that did the trick!

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card