https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519975#M235232 <P>Hi,</P><P>&nbsp;</P><P>Can you post the complete output of the <STRONG>"packet-tracer"</STRONG> command and the actual command used.</P><P>&nbsp;</P><P>Do you mean that you want to use a NAT Pool in this case? If so you should have something like</P><P>&nbsp;</P><P><STRONG>global (INTERNAL) 2 10.100.43.1-10.100.43.253<BR />global (INTERNAL) 2 10.100.43.254</STRONG></P><P>&nbsp;</P><P>- Jouni</P> Wed, 27 Aug 2014 19:07:37 GMT Jouni Forss 2014-08-27T19:07:37Z https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519974#M235229 <P>I have a production scenario where I need to implement twice NAT in my ASA(8.2(5)). I cannot upgrade this Firewall as of now.</P><P>The Topology goes like this,</P><P>&nbsp;(172.16.0.0/12)<STRONG>SPOKE</STRONG>----&gt;(OUTSIDE)<STRONG>ASA</STRONG>(INTERNAL)----&gt;<STRONG>3rdPARTY FW</STRONG>(172.23.102.92)</P><P>&nbsp;</P><P>1. Requirement is, the Spoke Location users should access Webserver 172.23.102.92 via IP:172.25.1.42(This IP is advertised over WAN)</P><P>2. Now my 3rd Party wants to NAT my Source Traffic(172.16.0.0/12) to 10.100.43.0/24 and send it.</P><P>&nbsp;</P><P>I have done the following config and its not working.</P><P>================================</P><P>access-list SPOKE-NAT extended permit ip 172.16.0.0 255.240.0.0 ho 172.25.1.42</P><P>nat (OUTSIDE) 2 access-list SPOKE-NAT<BR />global (INTERNAL) 2 10.100.43.0 netmask 255.255.255.0</P><P>access-list P3NAT&nbsp;permit ip ho 172.23.102.92 10.100.43.0 255.255.255.0</P><P>static (INTERNAL,OUTSIDE) 172.25.1.42 access-list P3NAT</P><P>================================</P><P>Upon using Packet Tracer , it says "translating&nbsp;to dynamic pool 2 (no matching global)"</P><P>&nbsp;</P> Tue, 12 Mar 2019 04:41:09 GMT https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519974#M235229 Ramakrishnan R 2019-03-12T04:41:09Z https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519975#M235232 <P>Hi,</P><P>&nbsp;</P><P>Can you post the complete output of the <STRONG>"packet-tracer"</STRONG> command and the actual command used.</P><P>&nbsp;</P><P>Do you mean that you want to use a NAT Pool in this case? If so you should have something like</P><P>&nbsp;</P><P><STRONG>global (INTERNAL) 2 10.100.43.1-10.100.43.253<BR />global (INTERNAL) 2 10.100.43.254</STRONG></P><P>&nbsp;</P><P>- Jouni</P> Wed, 27 Aug 2014 19:07:37 GMT https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519975#M235232 Jouni Forss 2014-08-27T19:07:37Z https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519976#M235234 <P>Packet Trace Logs : packet-tracer input MPLS-ZONE tcp 172.22.1.1 80 172.25.1.42 80 det</P><P>Phase: 1<BR />Type: CAPTURE<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x928ae750, priority=12, domain=capture, deny=false<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=7342021, user_data=0x92afd1f0, cs_id=0x0, l3_type=0x0<BR />&nbsp; &nbsp; &nbsp; &nbsp; src mac=0000.0000.0000, mask=0000.0000.0000<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst mac=0000.0000.0000, mask=0000.0000.0000</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x91cc2ba0, priority=1, domain=permit, deny=false<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=511378318, user_data=0x0, cs_id=0x0, l3_type=0x8<BR />&nbsp; &nbsp; &nbsp; &nbsp; src mac=0000.0000.0000, mask=0000.0000.0000<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst mac=0000.0000.0000, mask=0100.0000.0000</P><P>Phase: 3<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />static (INTERNAL,OUTSIDE) 172.25.1.42 &nbsp;access-list P3NAT<BR />&nbsp; match ip INTERNAL host 172.23.102.92 OUTSIDE 10.100.43.0 255.255.255.0<BR />&nbsp; &nbsp; static translation to 172.25.1.42<BR />&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 25<BR />Additional Information:<BR />NAT divert to egress interface INTERNAL<BR />Untranslate 172.25.1.42/0 to 172.23.102.92/0 using netmask 255.255.255.255</P><P>Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE in interface OUTSIDE<BR />access-list OUTSIDE extended permit ip any any<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x91edba68, priority=12, domain=permit, deny=false<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=28433851, user_data=0x8e9fc000, cs_id=0x0, flags=0x0, protocol=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x91cc5018, priority=0, domain=inspect-ip-options, deny=true<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=58261256, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>Phase: 6<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x91cbbb48, priority=21, domain=lu, deny=true<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=4473467, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6<BR />&nbsp; &nbsp; &nbsp; &nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />nat (OUTSIDE) 2 access-list SPOKE-NAT<BR />&nbsp; match ip OUTSIDE 172.16.0.0 255.240.0.0 OUTSIDE host 172.25.1.42<BR />&nbsp; &nbsp; dynamic translation to pool 2 (No matching global)<BR />&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x92cd1e08, priority=2, domain=host, deny=false<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=23362, user_data=0x926a5c18, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; src ip=172.16.0.0, mask=255.240.0.0, port=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>Phase: 8<BR />Type: NAT<BR />Subtype: host-limits<BR />Result: ALLOW<BR />Config:<BR />static (INTERNAL,OUTSIDE) 172.25.1.42 &nbsp;access-list P3NAT<BR />&nbsp; match ip INTERNAL host 172.23.102.92 OUTSIDE 10.100.43.0 255.255.255.0<BR />&nbsp; &nbsp; static translation to 172.25.1.42<BR />&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 25<BR />Additional Information:<BR />&nbsp;Reverse Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x926b2b30, priority=5, domain=host, deny=false<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=41, user_data=0x92b01db0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; src ip=172.23.102.92, mask=255.255.255.255, port=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>Phase: 9<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />&nbsp;Reverse Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x929d89d0, priority=0, domain=inspect-ip-options, deny=true<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=2515, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>Phase: 10<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 94023450, packet dispatched to next module<BR />Module information for forward flow ...<BR />snp_fp_tracer_drop<BR />snp_fp_inspect_ip_options<BR />snp_fp_tcp_normalizer<BR />snp_fp_translate<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_ifc_stat</P><P>Module information for reverse flow ...<BR />snp_fp_tracer_drop<BR />snp_fp_inspect_ip_options<BR />snp_fp_translate<BR />snp_fp_tcp_normalizer<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_ifc_stat</P><P>Result:<BR />input-interface: OUTSIDE<BR />input-status: up<BR />input-line-status: up<BR />output-interface: INTERNAL<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> Thu, 28 Aug 2014 07:51:55 GMT https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519976#M235234 Ramakrishnan R 2014-08-28T07:51:55Z https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519977#M235235 <P>Anyone who could help me out here !!!!</P> Thu, 04 Sep 2014 14:02:07 GMT https://community.cisco.com/t5/network-security/asa-8-2-twice-nat-problem/m-p/2519977#M235235 Ramakrishnan R 2014-09-04T14:02:07Z