Dear Anisha,

I did this , packet tracer still drops the packet "from 10.10.15.0 255.255.255.0 subnet" with the following message:

ASDM is not able to select the entry for the following configuration

nat (inside21) 0.0.0.0 0.0.0.0             I haven't set this rule!! I don't where this came from in this message

nat-control

match ip inside21 any outside any

no translation group, implicit deny

policy_hits=2

Best Regards,

-Rouzbeh

Hi,

I re-checked your configuration.

please remove the following statement:

global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

Also i see that there exists a default route for the DMZ and it is heading to a routable ip. could you please explain why are you doing this?

route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1

I would say please change the route.

route DMZ 10.10.15.0 255.255.255.0 1

Let me know if it makes any difference

Regards,

Anisha

Dear Anisha,

I am doing nat translation for inside network using PAT on interface gig0/0

I want to use nat pool for DMZ part and that's why I used the global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248 should I still remove this?

66.128.95.145 is the next hop router, that's why I used the route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1

I removed the route and added the route you requested  route DMZ 10.10.15.0 255.255.255.0 66.128.95.145 but got the mesageg "can not add route, connected route exits"

Best Regards,

-Rouzbeh

Hi Rouzbeh,

Alright i got the natting part.

please do the following:

no global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

global (outside1) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

nat (DMZ) 2 10.10.15.0 255.255.255.0

i am not sure of the routing part. by the statement "route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1" you mean to say that any traffic on the DMZ interface should head to ip  66.128.95.145. The DMZ network is 10.10.15.0/24. the ip  66.128.95.145 is not in the same subnet as 10.10.15.0/24.

I am unable to understand the routing in here. According to me you should remove the statement "route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1".

If the DMZ network is directly connected then i don't think there is an explicit need to add a route.

I hope you get what i am trying to explain.

Regards,

Anisha

Dear Anisha,

I did the followings:

no global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

global (outside1) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

net (DMZ) 2 10.10.15.0 255.255.255.0

I also removed the route 0.0.0.0 0.0.0.0 66.128.95.145 1 you correct the next hop is directly connected and no need to static route

The traffic leaving dmz subnet with 10.10.15.0/24 should be translated to a address from 66.128.95.147-66.128.95.150 right?

BTW after you suggested chages took efect agaib I get packe drop from packet tracer with the following message:

nat (DMZ) 2 10.10.15.0 255.255.255.0

match ip DMZ 10.10.15.0 255.255.255.0 outside2 any

dynamic translation to pool 2 (NO matching global)

Best Regards,

-Rouzbeh

Hi,

Please do the following:

no global (outside1) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

global (outside2) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

Let me know the results.

Regards,

Anisha

P.S.: Please mark this thread as resolved if you feel your query is answered.