05-30-2008 12:51 AM - edited 03-11-2019 05:52 AM
Hi all,
We are having a problem with exempt-NATting using an ASA 5520.
The top rule in my NAT table was as follows:
access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco
That group is configured as follows:
object-group network Vanco
network-object 192.168.0.0 255.255.0.0
group-object Vanco-remote
!
object-group network Vanco-remote
network-object BE01-Vanco 255.255.255.0
network-object BE10 255.255.255.0
network-object BE10-Aastra 255.255.255.0
group-object BE-Peltracom
network-object BE11 255.255.255.0
group-object Hotcuisine-Vanco
network-object BG01 255.255.192.0
network-object PL01 255.255.192.0
network-object 10.7.0.0 255.255.192.0
!
object-group network Hotcuisine-Vanco
network-object US01 255.255.252.0
network-object BE06 255.255.255.0
network-object BE06-Aastra 255.255.255.0
network-object BE05 255.255.255.0
network-object BE05-Aastra 255.255.255.0
network-object 192.169.223.0 255.255.255.0
!
object-group network Hotcuisine
network-object 192.168.60.0 255.255.255.0
group-object Hotcuisine-Vanco
so, group nesting is as follows:
Vanco -> Vanco-remote -> Hotcuisine-Vanco
So, while the natting rule
access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco
DOES NOT work, the following two lines DO work:
access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote 192.168.0.0 255.255.0.0
access-list MPLSv_nat0_outbound line 2 extended permit ip object-group Vanco-remote object-group Vanco-remote
While in group Vanco includes both 192.168.0.0 255.255.0.0 and object-group Vanco-remote
Does anybody know an answer to this problem? Does NAT allow only 1 level of nesting?
thanks.
06-05-2008 07:21 AM
Recheck your group configuration. use this Troubleshoot and Alerts (in Network Address Translation (NAT) ) document.
http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide