10-21-2013 05:02 AM - edited 03-11-2019 07:54 PM
Hi
I have ASA 5510 running with 8.2.5 ios
i have two internal subnet 192.168.96/19 & 10.12.127.0/19. i can access all the shared resources which is on the datacenter from 192.168.96.0/19 subnet. i need to access same resources which is on the datacenter from other internal subnet (10.12.127.0/19).
is ther any way, can i NAT the hole subnet (10.12.127.0/19) to my one of the internal IP(192.168.96.10) which is alrerady allowed in the data center.
Can you please provide the CLI Configuration commands,
Solved! Go to Solution.
10-22-2013 02:46 AM
Hi,
Can you provide the output of
show access-list inside_nat0_outbound
Though I presume this contains the NAT0 configuration for the network 192.68.96.0/19?
If so then to NAT the network 10.12.128.0/19 to the single IP address you would have to configure Dynamic Policy PAT
access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection
access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0
global (outside) 200 192.168.96.10
The output of the command that I asked would probably clarify this situation.
If you have a L2L VPN connection to the Datacenter then you would probably need to add this too for the "backup" interface
global (backup) 200 192.168.96.10
- Jouni
10-22-2013 03:11 AM
Hi,
Seems you edited your latest reply
This is the configuration that does Dynamic Policy PAT
access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection
access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0
global (outside) 200 192.168.96.10
global (backup) 200 192.168.96.10
It sets the conditions when the Dynamic PAT is applied. And in this case this Dynamic PAT is done when source network 10.12.128.0/19 connects to remote network 10.40.128.0/19. Then it will be PATed to the IP address 192.168.96.10
- Jouni
10-22-2013 03:23 AM
Hi,
You should not remove any configuration.
The one you mention is required for normal Internet traffic from that source network.
Please do remember to mark a reply as the correct answer (with the button at the bottom of the reply) if it answered your question.
Feel free to ask more if needed
- Jouni
10-21-2013 06:56 AM
Hi,
Is the remote destination network behind which interface? Is it behind a L2L VPN connection perhaps? Behind what interfaces are the local/internal networks located?
Are you sure about the new source network? Do you mean 10.12.128.0/19 or 10.12.96.0/19 network range as those would seem to be the network addresses with that subnet mask.
Can you tell us how the NAT is configured for your network 192.168.96.0/19 at the moment?
- Jouni
10-21-2013 07:38 AM
hi
sorry for the typo it's 10.12.128.0/19.
i need to Map the hole 10.12.128.0/19 subnet to one of my internal IP (192.168.96.10) through that i should be able to access all the shared resources,
10-21-2013 07:53 AM
Hi,
But I need to know the current setup because this is essential to provide the correct NAT configuration.
If we are talking about a L2L VPN connection then a normal Dynamic PAT configuration might possibly even break Internet connectivity for users. If you just have another interface connected to a Datacenter then a normal Dynamic PAT configuration might be just fine.
So we need to see the current setup to know what kind of NAT we can use
- Jouni
10-22-2013 12:19 AM
Yes you are right, i can able to reach the Datacenter If i create a PAT to one of the internal IP, but i can't access the internet from the same network, is there any way to resolve this issue,
below is the internal & data center network
Internal Subnet:10.12.128.0/19
Internal Subnet: 192.168.96.0/19
Datacenter Subnet: 10.40.128.0/19
the subnet (192.168.96.0/19) is allowed in the datacenter, i need to access the datacenter resource from 10.12.128.0/19 subnet through one of my other internal IP (192.168.96.10) & also i shoud be able to access the internet in
10.12.128.0/19, is there any way to configure both in ASA.
10-22-2013 12:24 AM
Hi,
I understand your requirements but I still need to know the current setup on your firewall
Can you provide the ouput of the following commands so I can see the current NAT configurations
show run global
show run nat
show run static
Change any public IP addresses if there are any in the configurations.
- Jouni
10-22-2013 02:38 AM
show run global
global (outside) 2 interface
global (backup) 2 interface
show run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.96.0 255.255.224.0
nat (inside) 2 10.12.128.0 255.255.224.0
show run static
static (inside,outside) 2.2.2.1 192.168.96.29 netmask 255.255.255.255
static (inside,outside) 2.2.2.2 192.168.96.45 netmask 255.255.255.255
2.2.2.1 & 2.2.2.2 are public Ip's
10-22-2013 02:46 AM
Hi,
Can you provide the output of
show access-list inside_nat0_outbound
Though I presume this contains the NAT0 configuration for the network 192.68.96.0/19?
If so then to NAT the network 10.12.128.0/19 to the single IP address you would have to configure Dynamic Policy PAT
access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection
access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0
global (outside) 200 192.168.96.10
The output of the command that I asked would probably clarify this situation.
If you have a L2L VPN connection to the Datacenter then you would probably need to add this too for the "backup" interface
global (backup) 200 192.168.96.10
- Jouni
10-22-2013 03:03 AM
where do we maped the 10.12.128.0/19 subnet to 192.168.96.10
show access-list inside_nat0_outbound
access-list inside_nat0_outbound line 1 extended permit ip 192.168.96.0 255.255.224.0 10.40.128.0 255.255.224.0 (hitcnt=0) 0xe9aed99d
10-22-2013 03:10 AM
Hi,
Seems to me that the above configurations that I suggested should work for you just fine then.
After you have configured them you can test that the Dynamic Policy PAT works by using "packet-tracer" or naturally also testing the actual connection.
packet-tracer input inside tcp 10.12.128.100 12345 10.40.128.100 80
Or change the above information if your ACLs block the above traffic
Hope this helps
Let us know if it works for you.
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
10-22-2013 03:11 AM
Hi,
Seems you edited your latest reply
This is the configuration that does Dynamic Policy PAT
access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection
access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0
global (outside) 200 192.168.96.10
global (backup) 200 192.168.96.10
It sets the conditions when the Dynamic PAT is applied. And in this case this Dynamic PAT is done when source network 10.12.128.0/19 connects to remote network 10.40.128.0/19. Then it will be PATed to the IP address 192.168.96.10
- Jouni
10-22-2013 03:21 AM
Thank you for your support it's working, i added the below configuration
access-list DATACENTER-POLICY-PAT remark Dynamic Policy PAT for Datacenter connection
access-list DATACENTER-POLICY-PAT permit ip 10.12.128.0 255.255.224.0 10.40.128.0 255.255.224.0
nat (inside) 200 access-list DC-POLICY-PAT
global (outside) 200 192.168.96.10
i need one calarifaction do i need to remove "nat (inside) 2 10.12.128.0 255.255.224.0" or not required
10-22-2013 03:23 AM
Hi,
You should not remove any configuration.
The one you mention is required for normal Internet traffic from that source network.
Please do remember to mark a reply as the correct answer (with the button at the bottom of the reply) if it answered your question.
Feel free to ask more if needed
- Jouni
10-22-2013 03:27 AM
Ah sorry,
I had totally missed to add the part
nat (inside) 200 access-list
Sorry about that.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide