05-08-2009 02:26 AM - edited 03-11-2019 08:29 AM
Hi,
I think this might a be policy NAT required, but I have never tried this before.
On our LAN we have a subnet 192.168.100.x/24 and this need to get to an IP range of 10.100.0.32/27 which is a remote company network, tyhe thing is they also have a network on 192.168.100.x/24 so I want 192.168.100.x/24 to be NAT'ed to 192.168.90.0/24 only if going to this netork.
Possible
05-08-2009 05:06 AM
I didn't see any translations:
Does this look ok to you guys, sorry for all the silly confusion I have created.
access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
global (outside) 2 192.168.90.240
nat (DMZ3) 2 access-list policy-nat-2
I went to the PC with 192.168.100.x amd pinged 10.100.0.61 which I know is live and got a request timeout.
05-08-2009 05:23 AM
Config looks OK - can you confirm that layer 3 deivces on the 10.100.0.32/27 subnet know "how" to get "back" to 192.168.90.x thru 192.168.100.x ?
Are you allowing icmp - echo-replies back into the outside interface of the ASA?
05-08-2009 05:25 AM
192.168.90.x can ping 10.100.0.32/27 as I'm pinging from that subnet.
I guess they will just send replies to 192.168.90.240 that translates to 192.168.100.x?
Is this staic NAT better than a policy NAT?
05-08-2009 05:33 AM
I think you have your bracketed interfaces the wrong way round for global and nat.
global (DMZ3)
nat (inside)
05-08-2009 07:18 AM
Sadley, I couldn't get this to work:
I tried these 2 configs:
1.)
access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
global (DMZ3) 2 192.168.90.240
nat (outside) 2 access-list policy-nat-2
When i do a packet trace I get a drop:
packet-tracer input inside icmp 192.168.100.32 0 1 1 10.100$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in Remotesvr_Servers 255.255.255.224 DMZ3
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in VLAN100 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any DMZ3 any
dynamic translation to pool 1 (No matching global)
translate_hits = 137, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
2.)
access-list inside_outbound_nat0_acl extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
access-list policy-nat-2 extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
static (inside,DMZ3) 192.168.90.240 access-list policy-nat-2
On this one I get the error "global address overlaps with mask"
05-08-2009 07:24 AM
access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
global (DMZ3) 2 192.168.90.240
nat (outside) 2 access-list policy-nat-2
This will not work - as you are trying to perform PAT in a Static 1:1 config, not possible.
use:-
access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
global (DMZ3) 2 192.168.90.0
nat (outside) 2 access-list policy-nat-2
or
access-list policy-nat-2 permit ip host 192.168.100.x 10.100.0.32 255.255.255.224
global (DMZ3) 2 192.168.90.240
nat (outside) 2 access-list policy-nat-2
05-08-2009 07:39 AM
tried those 2 example of yours and tried the packet trace again:
Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any DMZ3 any
dynamic translation to pool 1 (No matching global)
translate_hits = 145, untranslate_hits = 0
Additional Information:
05-08-2009 07:42 AM
Post all your current NAT/Interface config.
05-08-2009 08:00 AM
I have removed the config that I am trying, but here is some of it, need anything else, I've had to hide some bits:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.224
ospf cost 10
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address *.*.*.* 255.255.0.0
ospf cost 10
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.4
vlan 4
nameif DMZ2_Network
security-level 15
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2.6
vlan 6
nameif DMZ1_Servers
security-level 10
ip address 172.24.0.100 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2.7
vlan 7
nameif DMZ3
security-level 25
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2.9
vlan 9
nameif DMZ6_WAN
security-level 35
ip address 172.30.0.4 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2.10
vlan 10
nameif DMZ10_Servers
security-level 25
ip address 192.168.15.1 255.255.255.224
ospf cost 10
!
interface GigabitEthernet0/2.300
vlan 300
nameif DMZ4
security-level 20
ip address 172.25.1.1 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
static (inside,outside) udp interface 9996 SVR06 9996 netmask 255.255.255.255
static (inside,outside) *.*.*.* SVR10 netmask 255.255.255.255
static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat
static (DMZ10_Servers,outside) *.*.*.* SVR05_NEW netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.168.25.42 netmask 255.255.255.255
nat-control
nat (outside) 1 Office1 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ2_Network) 0 access-list DMZ2_nat0_outbound
nat (DMZ2_Network) 1 0.0.0.0 0.0.0.0
nat (DMZ1_Servers) 0 access-list DMZ1_Servers_nat0_outbound
nat (DMZ1_Servers) 0 access-list DMZ_inbound_nat0_acl outside
nat (DMZ1_Servers) 1 0.0.0.0 0.0.0.0
nat (DMZ3) 0 access-list DMZ3_nat0_outbound
nat (DMZ3) 1 0.0.0.0 0.0.0.0
nat (DMZ6_WAN) 0 access-list DMZ6_WAN_nat0_outbound
nat (DMZ6_WAN) 1 0.0.0.0 0.0.0.0
nat (DMZ10_Servers) 0 access-list DMZ10_Servers_nat0_outbound
nat (DMZ10_Servers) 1 0.0.0.0 0.0.0.0
nat (DMZ4) 0 access-list DMZ4_outbound_nat0_acl
nat (DMZ4) 1 0.0.0.0 0.0.0.0
static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat
no crypto isakmp nat-traversal
05-08-2009 08:03 AM
So were is the desination? and what interface is the policy nat required from?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide