NAT group-nesting problem

johanhofmans — Mon, 11 Mar 2019 12:52:30 GMT

Hi all,

We are having a problem with exempt-NATting using an ASA 5520.

The top rule in my NAT table was as follows:

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco

That group is configured as follows:

object-group network Vanco

network-object 192.168.0.0 255.255.0.0

group-object Vanco-remote

object-group network Vanco-remote

network-object BE01-Vanco 255.255.255.0

network-object BE10 255.255.255.0

network-object BE10-Aastra 255.255.255.0

group-object BE-Peltracom

network-object BE11 255.255.255.0

group-object Hotcuisine-Vanco

network-object BG01 255.255.192.0

network-object PL01 255.255.192.0

network-object 10.7.0.0 255.255.192.0

object-group network Hotcuisine-Vanco

network-object US01 255.255.252.0

network-object BE06 255.255.255.0

network-object BE06-Aastra 255.255.255.0

network-object BE05 255.255.255.0

network-object BE05-Aastra 255.255.255.0

network-object 192.169.223.0 255.255.255.0

object-group network Hotcuisine

network-object 192.168.60.0 255.255.255.0

group-object Hotcuisine-Vanco

so, group nesting is as follows:

Vanco -> Vanco-remote -> Hotcuisine-Vanco

So, while the natting rule

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote object-group Vanco

DOES NOT work, the following two lines DO work:

access-list MPLSv_nat0_outbound line 1 extended permit ip object-group Vanco-remote 192.168.0.0 255.255.0.0

access-list MPLSv_nat0_outbound line 2 extended permit ip object-group Vanco-remote object-group Vanco-remote

While in group Vanco includes both 192.168.0.0 255.255.0.0 and object-group Vanco-remote

Does anybody know an answer to this problem? Does NAT allow only 1 level of nesting?

thanks.

Re: NAT group-nesting problem

owillins — Thu, 05 Jun 2008 14:21:04 GMT

Recheck your group configuration. use this Troubleshoot and Alerts (in Network Address Translation (NAT) ) document.