05-08-2009 02:26 AM - edited 03-11-2019 08:29 AM
Hi,
I think this might a be policy NAT required, but I have never tried this before.
On our LAN we have a subnet 192.168.100.x/24 and this need to get to an IP range of 10.100.0.32/27 which is a remote company network, tyhe thing is they also have a network on 192.168.100.x/24 so I want 192.168.100.x/24 to be NAT'ed to 192.168.90.0/24 only if going to this netork.
Possible
05-08-2009 02:39 AM
Yes this is possible - you need to use PolicyBased NAT
HTH>
05-08-2009 02:50 AM
Do you have an example of this.
Inside range he is on is
192.168.100.x/24 and he need to get to 10.100.0.32/27
I want him to be seen as 192.168.90.x/24 or 192.168.90.240 if easier?
Thanks
05-08-2009 02:57 AM
The config would be something like:-
access-list <
static (inside,outside) <
HTH>
05-08-2009 03:26 AM
access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32
static (inside,outside) 192.168.90.240 access-list policy_NAT
If there is a match in the ACL 'policy_NAT' then the 192.168.100.x address will be translated to 192.168.90.240
05-08-2009 04:00 AM
hi,
When adding "static (inside,outside) 192.168.90.240 access-list policy_NAT
"
I seem to get the error:
global address overlaps with mask
05-08-2009 04:08 AM
Check your ACL.
05-08-2009 04:10 AM
Use NAT instead:
access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32
global (outside) 1 192.168.90.240
nat (inside) 1 access-list policy_NAT
05-08-2009 04:14 AM
Can host 10.100.0.32 be a range 10.100.0.32/27 ?
05-08-2009 04:19 AM
Yes
05-08-2009 04:20 AM
Yes, just take out :
host 10.100.0.32
and replace with
10.100.0.32 255.255.255.224
05-08-2009 04:34 AM
Tried this but it didn't work, this my fault the interface where this network lives is off acn interface on the ASA called "DMZ3":
access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
global (outside) 2 192.168.90.240
nat (inside) 2 access-list policy-nat-2
05-08-2009 04:43 AM
You need to detail the error, or why you say it didn't work.
Have you forced the connection from the 192.168.100.0/24 to the 10.100.0.32/27 network?
Does 'show xla' give you a translation?
05-08-2009 04:50 AM
Sorry that was very brief of me.
I have added this as you know:
access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224
global (outside) 2 192.168.90.240
nat (inside) 2 access-list policy-nat-2
the 192.168.100.x is on the inside and 10.100.0.32/27 is on the DMZ3 interfcae on the ASA which is were this WAN is installed to this remote network.
Let me look at the NAT translations.
05-08-2009 04:50 AM
Then you need to change nat (<
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide