The thing that tripped me up

l.buschi · ‎04-08-2014

Hello, i'm trying to configure indentity NAT of my inside directed attached network 172.24.10.0/24 and it doesn't work.

Identity NAT of inside not directly attached network are working.

If I use a dynamic PAT of the directly attached network with an external IP address it works.

The rule is configured as follow: source interface INSIDE destination inteface OUTSIDE

source address 172.24.10.0/24 destination address any

trnslation

static

source address 172.24.10.0/24 destination addess any

What am I doing wrong?

Tks

Johnny

Poonam Garg · ‎04-09-2014

hi,

I am not well versed with asdm but through CLI your config for identity NAT must look like:

object network REAL_INSIDE

subnet 172.24.10.0 255.255.255.0

nat (inside,outside) static 172.24.10.0

Marius Gunnerud · ‎04-09-2014

Are you setting this up for a VPN tunnel? Could you please explain more about what you are trying to accomplish with this and we can help you further.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

James Leinweber · ‎04-09-2014

The thing that tripped me up on identity NAT the first time I tried it on 9.0 (coming from old style 8.2) was that I had to use a phase I "twice NAT" rule to get it to have precedence over my phase II dynamic PAT object rule. E.g.

nat (lan1,outside) source static LAN1-NAT0 LAN1-NAT0 destination static REMOTE-NAT-06 REMOTE-NAT-06 no-proxy-arp route-lookup

object network LAN0-NAT

subnet 172.17.4.0 255.255.255.0

nat (lan1,outside) dynamic 192.0.20.10

-- Jim Leinweber, WI State Lab of Hygiene

Idetity NAT of a direct connected Interface is not working on asa 9.1.5