05-08-2008 05:28 AM - edited 03-11-2019 05:42 AM
Hi,
We've got a global NAT rule
static (inside,outside) interior-192.168.0.0 interior-192.168 netmask 255.255.0.0
But now we need some dynamic policy NAT:
access-list inside_nat_outbound line 1 extended permit ip 192.168.0.0 255.255.0.0 host 217.77.27.188
global (outside) 1 193.14.22.1-193.14.22.10 netmask 255.0.0.0
The problem is, when we connect to the external network where we need to be natted (217.77.27.188) we always fall on the global NAT rule. Which is needed for other purpose.
Is there a way to use the global NAT rule but also use a dynamic policy NAT but with same networks?
searchrail
05-08-2008 08:58 AM
I would like to verify, your internal users need to access resources on the 'outside'. There are two IP ranges on the outside, 193.14.22.x and 217.77.27.x. User need to access both, but right now they can only access 193.14.22.x resources because the 217.77.27.x NAT never get used. Is that correct? Are either of these internet connections or are they partner/B2B type connections?
05-08-2008 09:35 AM
where is the NAT (inside) 1 command to match to the ACL that you created?
05-09-2008 01:34 AM
nat (inside) 1 access-list inside_nat_outbound tcp 0 0 udp 0
Maybe clarify some more.
When the user need to access 217.77.27.188 (partner connection) they need te use a NAT pool (193.14.22.1-193.14.22.10)
But the users also need to access the outside interface un-NATTED. The problem is that they always access the outside un-NATTED and the dynamic nat rule is not used when they access
217.77.27.188
05-09-2008 05:19 AM
As far as I know you can not set NAT by destination address. I would create another interface for the partner connection.
05-09-2008 06:14 AM
Ok, I see the problem. It's the order of commands for how NAT is setup..
Order is this:
NAT Exemption
Static NAT/Static PAT
Policy NAT
Regular dynamic NAT
For all the regular traffic your at the static NAT, by the policy your configuring is at Policy NAT.
you can either configure static policy NAT or change the global static nat that you have to a dynamic NAT policy to move it farther down the food chain..
Let me know if this resolves what you are looking to do..
Thanks
05-11-2008 04:40 AM
thx for the answers but I think I found the solution.
I was working on an ASA that had the config of an old PIX.
From the things I've read (I'am not a PIX/ASA expert) in the old version of PIX you need a NAT rule for all the traffic that to go through the PIX
Since version 7.0 this is not needed with the 'no nat-control' command.
So traffic will go through the ASA un-natted. I can suspend all the most of the old static NAT rules and after that add the dynamic rule.
gonna try that next week...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide