10-30-2012 12:31 AM - edited 03-11-2019 05:15 PM
Hello all,
Sorry i'm sure there are other threads on this question. But I can't seem to get anything to work. This is what we are trying to get done:
Site A needs to access the Host in Site B. Of course the Host has a Default Router that has a route to 10.1.1.X. Is there a way to PAT the source traffic of 10.1.1.X to the IP address of the inside interface of ASA2 or to another 192.168.12.X/26 address. Anything we have tried, the traffic always lands on the main NAT exemption rule for the tunnel:
nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup
Can someone point me in the right direction? Again sorry if theres a common thread on this, that I can't seem to find.
Thanks for your time and help,
Nick
Solved! Go to Solution.
11-02-2012 06:08 PM
Change the NAT rule to "unidirectional" as follows:
nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup unidirectional
Then "clear xlate", and leave the object NAT as the above.
10-30-2012 12:39 AM
Leave the NAT rule, and you would also need to configure dynamic NAT:
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (outside,inside) dynamic interface
Then "clear xlate" after the above configuration.
11-02-2012 03:37 PM
Wow, Thanks for the quick reply! Unfortunately this didn't work for me. I added a similar NAT rule before posting. It wasn't an Object NAT, but something very close. Maybe the Object does have something to do with this.
If I add the Object NAT, run Clear xlates. New translations will still use the above NAT statement.
So I made that rule inactive, and connections from Site A to Host work. But now connections from Site B don't get the NAT exemption going back to Site A.
So currently we have this on (ASA2):
object network Obj_10.1.1.X
subnet 10.1.1.0 255.255.255.0
object network Obj_192.168.12.X
subnet 192.168.12.0 255.255.255.192
nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup inactive
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (outside,inside) dynamic interface
HOBUFWSS01# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X inactive
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (outside) to (inside) source dynamic obj-10.1.1.0 interface
translate_hits = 141, untranslate_hits = 22
Note we do have two different objects obj-10.1.1.0 and Obj_10.1.1.X.
What am i doing wrong? Got closer. Also, the clients in Site B that need access to Site A point directly to ASA2 as their default router.
Thanks,
Nick
11-02-2012 06:08 PM
Change the NAT rule to "unidirectional" as follows:
nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup unidirectional
Then "clear xlate", and leave the object NAT as the above.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: