cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


363
Views
0
Helpful
2
Replies
Highlighted

ASA 5520 9.1(3) Twice policy nat

nat (inside,outside) source dynamic obj-192.168.2.0 obj-192.168.32.20 destination static obj-10.1.56.0 obj-10.1.56.0

It seems that rule doesn't match

packet-tracer input inside tcp 192.168.2.1 342 10.1.56.1 34         

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group test in interface inside

access-list test extended permit ip any any

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4     

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 157, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

My configuration:

object network obj-10.1.56.0

subnet 10.1.56.0 255.255.255.0

object network obj-192.168.2.0

host 192.168.2.0

object network obj-192.168.32.20

host 192.168.32.20

interface GigabitEthernet0/0

nameif outside

security-level 60

ip address 10.1.255.2 255.255.255.248 standby 10.1.255.3

!

interface GigabitEthernet0/1.2

vlan 2

nameif inside

security-level 100

ip address 192.168.2.20 255.255.255.0 standby 192.168.2.254

C    192.168.2.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 10.1.255.1, outside

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Mentor

Re: ASA 5520 9.1(3) Twice policy nat

Hi,

The source object is wrong

Change this

object network obj-192.168.2.0

  host 192.168.2.0

To his

object network obj-192.168.2.0

  subnet 192.168.2.0 255.255.255.0

The "packet-tracer" is using source as 192.168.2.1 which naturally doesnt match the above

Hope this helps

- Jouni

View solution in original post

2 REPLIES 2
Mentor

Re: ASA 5520 9.1(3) Twice policy nat

Hi,

The source object is wrong

Change this

object network obj-192.168.2.0

  host 192.168.2.0

To his

object network obj-192.168.2.0

  subnet 192.168.2.0 255.255.255.0

The "packet-tracer" is using source as 192.168.2.1 which naturally doesnt match the above

Hope this helps

- Jouni

View solution in original post

ASA 5520 9.1(3) Twice policy nat

what a silly mistake, tnx