05-03-2015 08:54 AM - edited 03-11-2019 10:52 PM
Dear Support,
I want to setup a dynamic NAT on my firewall Cisco ASA 5520. I make the configuration below, but I cannot access to internet. Can you help me please.
object network LTY_NAT
subnet 192.168.176.0 255.255.248.0
object network HQ_NAT
subnet 192.168.190.0 255.255.255.0
object network CAD_NAT
subnet 192.168.140.0 255.255.255.0
object-group network ESN_NAT
network-object object LTY_NAT
network-object object HQ_NAT
network-object object CAD_NAT
nat (any,outside) source dynamic ESN_NAT interface
My Cisco ASA is connected to the Inside interface(192.168.180.228) with this network 192.168.176.0 255.255.248.0 .
Thank in advance!
Solved! Go to Solution.
05-04-2015 06:38 AM
Hi Vibhor Amrodia,
Thanks!
I modified the remote network. Now Local_LAn and Anyconnect are below:
object-group network Local_LAN
network-object 192.168.140.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.190.0 255.255.255.0
network-object 10.71.121.0 255.255.255.0
network-object 10.71.124.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.170.0 255.255.255.0
network-object 192.168.176.0 255.255.248.0
network-object 10.71.0.0 255.255.0.0
network-object 172.28.11.0 255.255.255.0
network-object 172.28.13.0 255.255.255.0
Object network Anyconnect
subnet 192.168.176.0 255.255.248.0
nat (inside,outside) source static Local_LAN Local_LAN destination static Anyconnect Anyconnect
Now, what is the next step?
Thank in advance!
05-04-2015 06:57 AM
Hi,
Now , I think the traffic should be allowed for the Outbound internet.
Check it with the packet tracer again.
Thanks and Regards,
Vibhor Amrodia
05-04-2015 09:14 AM
05-05-2015 03:04 AM
Hi Vibhor Amrodia,
The dynamic NAT is working fine following your guide, but the VPN site to site with my peer is disconnected and I can't access to peer side. What I can do to have dynamic NAT et VPN site to site UP.
Thank in advance!
05-05-2015 05:20 AM
Hi,
Now , you need to check the NONAT statement is working for the Site-To-Site VPN tunnel or not. I think this NAT broke that for you.
You need this NAT statement:-
nat (inside,outside) source static <Local Subnets> <Local Subnets> destination static <Remote Subnets> <Remote Subnets>
Thanks and Regards,
Vibhor Amrodia
05-05-2015 05:58 AM
Hi Vibhor Amrodia,
What is NONAT statement?
I have this nat :
nat (inside,outside) source static Local_LAN Local_LAN destination static Anyconnect Anyconnect
object-group network Local_LAN
network-object 192.168.140.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.190.0 255.255.255.0
network-object 10.71.121.0 255.255.255.0
network-object 10.71.124.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.170.0 255.255.255.0
network-object 192.168.176.0 255.255.248.0
network-object 10.71.0.0 255.255.0.0
network-object 172.28.11.0 255.255.255.0
network-object 172.28.13.0 255.255.255.0
Object network Anyconnect
subnet 192.168.176.0 255.255.248.0
When I put this NAT above in priority 1, the VPN is not working and the traffic for the Outbound internet is allowed.
When I put this NAT below in priority 1, The VPN is working and no traffic for Outbound internet
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
object-group network Local_LAN
network-object 192.168.140.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.190.0 255.255.255.0
network-object 10.71.121.0 255.255.255.0
network-object 10.71.124.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.170.0 255.255.255.0
network-object 192.168.176.0 255.255.248.0
network-object 10.71.0.0 255.255.0.0
network-object 172.28.11.0 255.255.255.0
network-object 172.28.13.0 255.255.255.0
Object network Remote_LAN
subnet 0.0.0.0 0.0.0.0
05-05-2015 06:05 AM
Hi,
NONAT is a generic term used to say that specific traffic should not be natted on the ASA device which is a pre requisite to get VON traffic working thru the ASA device.
Again you have the same issue with the incorrect object configured.
This Remote_LAN should have specific network which are at the peer end.
Thanks and Regards,
Vibhor Amrodia
05-05-2015 09:01 AM
Hi Vibhor Amrodia,
Thank for your reply
For example, I use the network 10.1.1.0/24 for peer side VPN and this network 192.168.176.0/21 for Anyconnect SSL VPN, I can put these two networks in the same Remote _LAN or I must create for each VPN one Remote_LAN?
Ramatoulaye HANE
05-05-2015 08:25 PM
Hi,
You can put it in the same NAT statement combined.
Thanks and Regards,
Vibhor Amrodia
05-06-2015 05:58 AM
Hi Vibhor Amrodia,
It works fine. Thanks for your support!
Ramatoulaye HANE
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: