10-14-2022 02:26 PM - edited 10-14-2022 02:30 PM
Hi
I am configuring an ASA device. I am noting the NAT is not working and the PRIVATE deivce can not reach the destination/gateway(192.168.237.65&192.168.237.129). Can someone help to check the config?
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.819
vlan 819
nameif VENDORNET_VENDOR_A
security-level 100
ip address 192.168.237.75 255.255.255.192
!
interface GigabitEthernet0/1.820
vlan 820
nameif VENDORNET_VENDOR_B
security-level 100
ip address 192.168.237.136 255.255.255.192
!
interface GigabitEthernet0/2
nameif PRIVATE
security-level 10
ip address 11.200.0.1 255.255.252.0
policy-route route-map SET_NEXT_HOP
!
object network vendor_VENDOR_B_subnet
range 192.168.237.129 192.168.237.191
object network obj_11.200.0.220
host 11.200.0.220
object network obj_VENDOR_B_1
host 192.168.237.140
!
object network vendor_VENDOR_A_subnet
range 192.168.237.65 192.168.237.127
object network obj_11.200.3.23
host 11.200.3.23
object network obj_VENDOR_A_1
host 192.168.237.100
!
access-list VLAN_VENDOR_B_EXT standard permit host 11.200.0.220
access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23
!
nat (PRIVATE,VENDORNET_VENDOR_A) source static obj_11.200.3.23 obj_VENDOR_A_1
nat (PRIVATE,VENDORNET_VENDOR_B) source static obj_11.200.0.220 obj_VENDOR_B_1
!
route-map SET_NEXT_HOP permit 10
match ip address VLAN_VENDOR_B_EXT
set interface VENDORNET_VENDOR_B
set ip default next-hop 192.168.237.129
!
route-map SET_NEXT_HOP permit 20
match ip address VLAN_VENDOR_A_EXT
set interface VENDORNET_VENDOR_A
set ip default next-hop 192.168.237.65
!
route VENDORNET_VENDOR_A 0.0.0.0 0.0.0.0 192.168.237.65 2
route VENDORNET_VENDOR_B 0.0.0.0 0.0.0.0 192.168.237.129 3
Manual NAT Policies (Section 1)
1 (PRIVATE) to (VENDORNET_VENDOR_B) source static obj_11.200.0.220 obj_VENDOR_B_1
translate_hits = 0, untranslate_hits = 0
2 (PRIVATE) to (VENDORNET_VENDOR_A) source static obj_11.200.3.23 obj_VENDOR_A_1
translate_hits = 0, untranslate_hits = 0
10-14-2022 03:59 PM
many issue with your share config,
first
access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23 <<- traffic from VLA_VENDOR_A_EXT
!
route-map SET_NEXT_HOP permit 20
match ip address VLAN_VENDOR_A_EXT
set interface VENDORNET_VENDOR_A <<- will go via interface the traffic come from !!!
set ip default next-hop 192.168.237.65
10-15-2022 03:23 AM
set interface VENDORNET_VENDOR_A <<- will go via interface the traffic come from !!!
-- why it will set the traffic back to the interface it comes from? the interface VENDORNET_VENDOR_A is the egress to VLAN819.
10-15-2022 03:41 AM - edited 10-15-2022 03:42 AM
interface GigabitEthernet0/1.819
vlan 819
nameif VENDORNET_VENDOR_A
security-level 100
ip address 192.168.237.75 255.255.255.192
!
access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23
If you use a standard ACL, matching is done on the destination address only.
!
route-map SET_NEXT_HOP permit 20
match ip address VLAN_VENDOR_A_EXT
set interface VENDORNET_VENDOR_A
set ip default next-hop 192.168.237.65 <<-
!
interface GigabitEthernet0/2
nameif PRIVATE
security-level 10
ip address 11.200.0.1 255.255.252.0
policy-route route-map SET_NEXT_HOP
the PBR use to forward taffic ingress to interface <PRIVATE>, the PBR will check the PBR ACL VLAN_VENDOR_A_EXT, and see that the destination is host 11.200.3.23 <which we see that in same subnet of PRIVATE>
that confuse me
can you draw topology?
10-15-2022 04:29 AM
1. access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23 -- in standard ACL permit should be followed by source?
2. I just want to confirm the following logic:
10-15-2022 04:51 AM
access-list VLAN_VENDOR_A_EXT standard permit host 11.200.3.23 -- in standard ACL permit should be followed by source?No
""If you use a standard ACL, matching is done on the destination address only.""
10-14-2022 04:02 PM
nat (PRIVATE,VENDORNET_VENDOR_A) source static obj_11.200.3.23 obj_VENDOR_A_1
nat (PRIVATE,VENDORNET_VENDOR_B) source static obj_11.200.0.220 obj_VENDOR_B_1
!
interface GigabitEthernet0/2
nameif PRIVATE
security-level 10
ip address 11.200.0.1 255.255.252.0 <<- the subnet is different than 11.200.3.23 !!!
policy-route route-map SET_NEXT_HOP
10-15-2022 03:42 PM
Thanks for troubleshooting.
I have change the ACL to extended format to match both source and destination. It is working now !!!
10-15-2022 03:46 PM
You are so so welcome friend.
10-14-2022 04:17 PM
Hi thanks for advising,
how to fix these issues?
11.200.0.1 255.255.252.0 could cover 11.200.3.23?
Address: 11.200.0.1 00001011.11001000.000000 00.00000001
Netmask: 255.255.252.0 = 22 11111111.11111111.111111 00.00000000
Wildcard: 0.0.3.255 00000000.00000000.000000 11.11111111
=> Network: 11.200.0.0/22 00001011.11001000.000000 00.00000000 (Class A)
Broadcast: 11.200.3.255 00001011.11001000.000000 11.11111111
HostMin: 11.200.0.1 00001011.11001000.000000 00.00000001
HostMax: 11.200.3.254 00001011.11001000.000000 11.11111110
Hosts/Net: 1022
10-14-2022 04:54 PM
Yes I make double check it cover if mask is /22.
but still PBR you use must correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide