Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
16
Replies

Nat'ing Lan subnet

gtorresjr77
Level 1
Level 1

‎11-04-2013 02:38 PM - edited ‎03-11-2019 08:00 PM

I have a tunnel created and I need to NAT the local network 192.168.1.0/24 to 172.31.196.0/24 to the destination IP, let's say (2.2.2.2)

code version is 821

name 2.2.2.2 External_IP

name 172.31.196.0 Local_xlated

I thought the statement would look like nat (inside,outside) inside-network Local_xlated static destination External_IP

Labels:
0 Helpful
16 Replies 16

gtorresjr77
Level 1
Level 1
In response to gtorresjr77

‎11-05-2013 08:27 AM

eluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 173.220.117.20$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   External_IP     255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

eluciasa(config)#

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to gtorresjr77

‎11-05-2013 08:32 AM

Hi,

Seems the "packet-tracer" that is supposed to hit the Static Policy NAT is targeting your actual interface IP address?

If we are talking about a Static Policy NAT for a L2L VPN connection then you would naturally need to be targetting any IP address that is at the remote end. That same target IP address (all of them) should also be mentioned in the Static Policy NAT configurations "access-list"

Seems that you are either targetting the wrong IP address or there has been some greater missunderstanding what you are trying to achieve.

We are trying to confirm that when traffic from your LAN 192.168.1.0/24 goes towards the remote host 2.2.2.2 behind L2L VPN connection then its source address will be translated to the NAT IP address from network 172.31.196.0/24

Seems the first "packet-tracer" matches your usualy Dynamic PAT configuration.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card