cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1126
Views
0
Helpful
3
Replies

ASA 8.2 Twice NAT Problem

Ramakrishnan R
Level 1
Level 1

I have a production scenario where I need to implement twice NAT in my ASA(8.2(5)). I cannot upgrade this Firewall as of now.

The Topology goes like this,

 (172.16.0.0/12)SPOKE---->(OUTSIDE)ASA(INTERNAL)---->3rdPARTY FW(172.23.102.92)

 

1. Requirement is, the Spoke Location users should access Webserver 172.23.102.92 via IP:172.25.1.42(This IP is advertised over WAN)

2. Now my 3rd Party wants to NAT my Source Traffic(172.16.0.0/12) to 10.100.43.0/24 and send it.

 

I have done the following config and its not working.

================================

access-list SPOKE-NAT extended permit ip 172.16.0.0 255.240.0.0 ho 172.25.1.42

nat (OUTSIDE) 2 access-list SPOKE-NAT
global (INTERNAL) 2 10.100.43.0 netmask 255.255.255.0

access-list P3NAT permit ip ho 172.23.102.92 10.100.43.0 255.255.255.0

static (INTERNAL,OUTSIDE) 172.25.1.42 access-list P3NAT

================================

Upon using Packet Tracer , it says "translating to dynamic pool 2 (no matching global)"

 

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Can you post the complete output of the "packet-tracer" command and the actual command used.

 

Do you mean that you want to use a NAT Pool in this case? If so you should have something like

 

global (INTERNAL) 2 10.100.43.1-10.100.43.253
global (INTERNAL) 2 10.100.43.254

 

- Jouni

Packet Trace Logs : packet-tracer input MPLS-ZONE tcp 172.22.1.1 80 172.25.1.42 80 det

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x928ae750, priority=12, domain=capture, deny=false
        hits=7342021, user_data=0x92afd1f0, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x91cc2ba0, priority=1, domain=permit, deny=false
        hits=511378318, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INTERNAL,OUTSIDE) 172.25.1.42  access-list P3NAT
  match ip INTERNAL host 172.23.102.92 OUTSIDE 10.100.43.0 255.255.255.0
    static translation to 172.25.1.42
    translate_hits = 0, untranslate_hits = 25
Additional Information:
NAT divert to egress interface INTERNAL
Untranslate 172.25.1.42/0 to 172.23.102.92/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface OUTSIDE
access-list OUTSIDE extended permit ip any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x91edba68, priority=12, domain=permit, deny=false
        hits=28433851, user_data=0x8e9fc000, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x91cc5018, priority=0, domain=inspect-ip-options, deny=true
        hits=58261256, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x91cbbb48, priority=21, domain=lu, deny=true
        hits=4473467, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (OUTSIDE) 2 access-list SPOKE-NAT
  match ip OUTSIDE 172.16.0.0 255.240.0.0 OUTSIDE host 172.25.1.42
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x92cd1e08, priority=2, domain=host, deny=false
        hits=23362, user_data=0x926a5c18, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.0.0, mask=255.240.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (INTERNAL,OUTSIDE) 172.25.1.42  access-list P3NAT
  match ip INTERNAL host 172.23.102.92 OUTSIDE 10.100.43.0 255.255.255.0
    static translation to 172.25.1.42
    translate_hits = 0, untranslate_hits = 25
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x926b2b30, priority=5, domain=host, deny=false
        hits=41, user_data=0x92b01db0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.23.102.92, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x929d89d0, priority=0, domain=inspect-ip-options, deny=true
        hits=2515, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94023450, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INTERNAL
output-status: up
output-line-status: up
Action: allow

Anyone who could help me out here !!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: