Solved: Re: NAT for group of objects - how to? - Page 2

orhan.tagizade · ‎10-04-2010

Hi everyone!

My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.

We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.

We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.

The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses.

All other hosts should use PAT through x.x.x.13.

Thanks a lot in advance.

orhan.tagizade · ‎10-06-2010

Namit,

I applied rules and attached them to the interface "outside"

But again, I was not able to open the website after a connection was made with cisco vpn client.

Please see syslog attached.

Thanks in advance

orhan.tagizade · ‎10-07-2010

Any news so far?

Namit Agarwal · ‎10-07-2010

Hi ,

Could you please provide the config on the ASA ?

Also please provide the output of the following command

capture cap type asp-drop all

sh cap | in 95.86.133.30

Thanks,

Namit

orhan.tagizade · ‎10-08-2010

Dear Namit,

Configuration and capture files are attached.

Btw,

command

sh cap | in 95.86.133.30

gave no response, thus i've downloaded capture file from ASA itself.

Thanks a lot!

PS: can it be somehow related to MSS?

PS2: i was searching through other forums and someone advised to check vpn pass-through. Don't know if it's somehow related to my problem, just wanted to share the information I acquired.

Namit Agarwal · ‎10-08-2010

Hi,

Please change the following in the config

From

object network mdo0003

nat (inside,outside) static 81.21.95.10

object network mdo0005

nat (inside,outside) static 81.21.95.10

To

object network mdo0003

nat (inside,outside) dynamic 81.21.95.10

object network mdo0005

nat (inside,outside) dynamic 81.21.95.10

Since we want both the IPs to be translated to 81.21.95.10

Let me know if this helps

Thanks,

Namit

orhan.tagizade · ‎10-08-2010

Hi, Namit!

I tried to change the configuration as you advised. Look what happened:

I configured dynamic NAT rule for network object mdo0003.

When I was trying to do the same for the network object mdo0005, ASA gave me the following error message:

pb-gw2(config-network-object)# nat (inside,outside) dynamic 81.21.95.10
WARNING: Pool (81.21.95.10) overlap with existing pool

Please see attached altered config. file.

After I made the changes, Cisco VPN client is not connecting to the remote host 95.86.133.30 at all, providing the error message 433 (see attached screenshot).

I also did a packet trace in ASDM (see screenshot attached)

I f you need syslog let me know.

Thanks in advance.

orhan.tagizade · ‎10-18-2010

Dear All,

Thank you for your help.

It seems something changed in remote PIX firewall configuration and now everything is working with static NAT for both of the network objects.

Alas!

Thanks again and have a great day!