cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
2
Replies

ASA 5520 9.1(3) Twice policy nat

Pavlo Zabudskyi
Beginner
Beginner

nat (inside,outside) source dynamic obj-192.168.2.0 obj-192.168.32.20 destination static obj-10.1.56.0 obj-10.1.56.0

It seems that rule doesn't match

packet-tracer input inside tcp 192.168.2.1 342 10.1.56.1 34         

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group test in interface inside

access-list test extended permit ip any any

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4     

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 157, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

My configuration:

object network obj-10.1.56.0

subnet 10.1.56.0 255.255.255.0

object network obj-192.168.2.0

host 192.168.2.0

object network obj-192.168.32.20

host 192.168.32.20

interface GigabitEthernet0/0

nameif outside

security-level 60

ip address 10.1.255.2 255.255.255.248 standby 10.1.255.3

!

interface GigabitEthernet0/1.2

vlan 2

nameif inside

security-level 100

ip address 192.168.2.20 255.255.255.0 standby 192.168.2.254

C    192.168.2.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 10.1.255.1, outside

1 Accepted Solution

Accepted Solutions

Jouni Forss
Mentor
Mentor

Hi,

The source object is wrong

Change this

object network obj-192.168.2.0

  host 192.168.2.0

To his

object network obj-192.168.2.0

  subnet 192.168.2.0 255.255.255.0

The "packet-tracer" is using source as 192.168.2.1 which naturally doesnt match the above

Hope this helps

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
Mentor
Mentor

Hi,

The source object is wrong

Change this

object network obj-192.168.2.0

  host 192.168.2.0

To his

object network obj-192.168.2.0

  subnet 192.168.2.0 255.255.255.0

The "packet-tracer" is using source as 192.168.2.1 which naturally doesnt match the above

Hope this helps

- Jouni

what a silly mistake, tnx

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers