03-20-2014 06:25 AM - edited 03-11-2019 08:58 PM
Going from a Pix 515E to an ASA 5515 and trying to mirror the configuration. I believe I have most of it correct, but this one issue persists that I'm trying to get resolved. There are a number of vpn tunnels that terminate on the Pix and on some of them the remote party has an overlapping subnet so to remedy this the following configuration was used:
global (outside) 3 192.168.201.0
global (outside) 4 192.168.205.0
nat (inside) 4 access-list NAT1 0 0
nat (inside) 3 access-list NAT 0 0
access-list NAT permit ip 192.168.101.0 255.255.255.0 host 10.100.3.215
access-list NAT1 permit ip 192.168.105.0 255.255.255.0 host 10.100.3.215
This works fine. On the ASA I tried using this:
object network obj-10.100.3.215
host 10.100.3.215
object-group network obj-192.168.105.0_2
network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source dynamic obj-192.168.101.0_2 obj-192.168.201.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source dynamic obj-192.168.105.0_2 obj-192.168.205.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
That didn't work (the tunnel was up because I have a number of other subnets that were able to access the remote party, but not the 2 that need to be nat'd). I cleared this and tried it again w/ the following:
object network obj-10.100.3.215
host 10.100.3.215
object-group network obj-192.168.205.0_2
network-object 192.168.205.0 255.255.255.0
object-group network obj-192.168.201.0_2
network-object 192.168.201.0 255.255.255.0
object-group network obj-192.168.105.0_2
network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source static obj-192.168.101.0_2 obj-192.168.105.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source static obj-192.168.105.0_2 obj-192.168.205.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
If I do a packet-tracer trace it appears to nat properly to a 205.x address, but when I actually attempt it from the pc it fails. Is the syntax correct? I asked for a trace-route from the pc at the time it failed but it wasn't provided.
03-20-2014 01:18 PM
I am trying to replace an asa 5510 with an asa 5515x. When I try the same nat command as listed above I get this message
"ERROR: This syntax of nat command has been deprecated."
Is there an alternative to nat to an access-list?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide