08-27-2014 09:28 AM - edited 03-11-2019 09:41 PM
I have a production scenario where I need to implement twice NAT in my ASA(8.2(5)). I cannot upgrade this Firewall as of now.
The Topology goes like this,
(172.16.0.0/12)SPOKE---->(OUTSIDE)ASA(INTERNAL)---->3rdPARTY FW(172.23.102.92)
1. Requirement is, the Spoke Location users should access Webserver 172.23.102.92 via IP:172.25.1.42(This IP is advertised over WAN)
2. Now my 3rd Party wants to NAT my Source Traffic(172.16.0.0/12) to 10.100.43.0/24 and send it.
I have done the following config and its not working.
================================
access-list SPOKE-NAT extended permit ip 172.16.0.0 255.240.0.0 ho 172.25.1.42
nat (OUTSIDE) 2 access-list SPOKE-NAT
global (INTERNAL) 2 10.100.43.0 netmask 255.255.255.0
access-list P3NAT permit ip ho 172.23.102.92 10.100.43.0 255.255.255.0
static (INTERNAL,OUTSIDE) 172.25.1.42 access-list P3NAT
================================
Upon using Packet Tracer , it says "translating to dynamic pool 2 (no matching global)"
08-27-2014 12:07 PM
Hi,
Can you post the complete output of the "packet-tracer" command and the actual command used.
Do you mean that you want to use a NAT Pool in this case? If so you should have something like
global (INTERNAL) 2 10.100.43.1-10.100.43.253
global (INTERNAL) 2 10.100.43.254
- Jouni
08-28-2014 12:51 AM
Packet Trace Logs : packet-tracer input MPLS-ZONE tcp 172.22.1.1 80 172.25.1.42 80 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x928ae750, priority=12, domain=capture, deny=false
hits=7342021, user_data=0x92afd1f0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x91cc2ba0, priority=1, domain=permit, deny=false
hits=511378318, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INTERNAL,OUTSIDE) 172.25.1.42 access-list P3NAT
match ip INTERNAL host 172.23.102.92 OUTSIDE 10.100.43.0 255.255.255.0
static translation to 172.25.1.42
translate_hits = 0, untranslate_hits = 25
Additional Information:
NAT divert to egress interface INTERNAL
Untranslate 172.25.1.42/0 to 172.23.102.92/0 using netmask 255.255.255.255
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface OUTSIDE
access-list OUTSIDE extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x91edba68, priority=12, domain=permit, deny=false
hits=28433851, user_data=0x8e9fc000, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x91cc5018, priority=0, domain=inspect-ip-options, deny=true
hits=58261256, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x91cbbb48, priority=21, domain=lu, deny=true
hits=4473467, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (OUTSIDE) 2 access-list SPOKE-NAT
match ip OUTSIDE 172.16.0.0 255.240.0.0 OUTSIDE host 172.25.1.42
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x92cd1e08, priority=2, domain=host, deny=false
hits=23362, user_data=0x926a5c18, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.0.0, mask=255.240.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (INTERNAL,OUTSIDE) 172.25.1.42 access-list P3NAT
match ip INTERNAL host 172.23.102.92 OUTSIDE 10.100.43.0 255.255.255.0
static translation to 172.25.1.42
translate_hits = 0, untranslate_hits = 25
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x926b2b30, priority=5, domain=host, deny=false
hits=41, user_data=0x92b01db0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.23.102.92, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x929d89d0, priority=0, domain=inspect-ip-options, deny=true
hits=2515, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94023450, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INTERNAL
output-status: up
output-line-status: up
Action: allow
09-04-2014 07:02 AM
Anyone who could help me out here !!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: