Re: NAT help with overlapping network

jamesgonzo · ‎05-20-2009

Hi,

I have a Pix515 with a WAN link to a remote office. The Pix has an ethernet port that plugs into a 3550 switch which is set a s a trunk. The WAN router is plugged into VLAN 7 (subinterface).

My LAN is on 192.168.3.x/24 and I need to have the translate to something else before it gets to the remote WAN (10.100.0.32/27) as they have this LAN used elsewhere. Can I get the pix to NAT my LAN to something else liek 192.168.90.x/24?

Pix config is attached

Thanks

JORGE RODRIGUEZ · ‎05-20-2009

Yes you can NAT to somthing else using policy NAT.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

just follow the link above.. your nat exempt acl would look something as:

access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0

static (inside,outside) 192.168.90.0 access-list policy-nat

other end of tunnel will have to also permit 192.168.90.0/24 in their tunnel policy.

Regards

Jorge Rodriguez

JORGE RODRIGUEZ · ‎05-21-2009

James, is your requirements resolved with policy nat suggestions.. pls let us know to assist you fruther if problems.

Regards

Jorge Rodriguez

jamesgonzo · ‎05-21-2009

Hi!

I've been waiting all night and day for an email notify for this post and only just got it :(

Your example looks great, however I won't be able to do until tomorrow, can't wait! I will update you.

I have never managed to get a NAT to work like this, although I have between 2 routers.

jamesgonzo · ‎05-23-2009

Hi there,

I don't think this worked for me, I can still ping 10.100.0.61, but I just think it's because I'm not getting NAT'ed so everything is the same.

All I added was:

access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.224

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.252

I didn't add the last line you mentioned though as this isn't a VPN, just a serial connected WAN.

I have attached some more info, the Pix/ASA config doesn't have the 2 lines above btw in the attachment.

When I pinged 10.100.0.61 from my laptop on 192.168.3.x I was sure what NAT debug commands I could use so I simply ran "sh nat"

mypix# sh nat

NAT policies on Interface Inside:

match ip Inside 192.168.3.0 255.255.255.0 Outside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Outside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Outside 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.90.0 255.255.255.0 Outside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.90.0 255.255.255.0 Inside 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 1, untranslate_hits = 1

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.90.0 255.255.255.0 DMZ3 10.100.0.32 255.255.255.224

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Outside 10.100.0.32 255.255.255.252

static translation to 192.168.90.0

translate_hits = 0, untranslate_hits = 0

match ip Inside any Outside any

dynamic translation to pool 1 (10.0.0.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip Inside any Inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip Inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip Inside any Outside any

no translation group, implicit deny

policy_hits = 0

match ip Inside any DMZ3 any

no translation group, implicit deny

policy_hits = 0

NAT policies on Interface DMZ3:

match ip DMZ3 10.100.0.32 255.255.255.224 Outside 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 192.168.2.0 255.255.255.0 Outside 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 10.100.0.32 255.255.255.224 DMZ3 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 192.168.2.0 255.255.255.0 DMZ3 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 any Outside any

no translation group, implicit deny

policy_hits = 0

mypix#

Hope this helps

jamesgonzo · ‎05-26-2009

Hi,

I just wondered if you might be able to have a quick look at why my NAT isn't working?

Many thanks