Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
226
Views
0
Helpful
1
Replies

Policy Nat ASA 8.6(1)

mumbles202
Level 5
Level 5

‎03-20-2014 06:25 AM - edited ‎03-11-2019 08:58 PM

Going from a Pix 515E to an ASA 5515 and trying to mirror the configuration.  I believe I have most of it correct, but this one issue persists that I'm trying to get resolved.  There are a number of vpn tunnels that terminate on the Pix and on some of them the remote party has an overlapping subnet so to remedy this the following configuration was used:

 

global (outside) 3 192.168.201.0
global (outside) 4 192.168.205.0

nat (inside) 4 access-list NAT1 0 0
nat (inside) 3 access-list NAT 0 0

access-list NAT permit ip 192.168.101.0 255.255.255.0 host 10.100.3.215
access-list NAT1 permit ip 192.168.105.0 255.255.255.0 host 10.100.3.215

 

This works fine.  On the ASA I tried using this:

object network obj-10.100.3.215

 host 10.100.3.215
object-group network obj-192.168.105.0_2
 network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
 network-object 192.168.101.0 255.255.255.0


nat (inside,outside) source dynamic obj-192.168.101.0_2 obj-192.168.201.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source dynamic obj-192.168.105.0_2 obj-192.168.205.0_3 destination static obj-10.100.3.215 obj-10.100.3.215

 

That didn't work (the tunnel was up because I have a number of other subnets that were able to access the remote party, but not the 2 that need to be nat'd).  I cleared this and tried it again w/ the following:

 

object network obj-10.100.3.215

host 10.100.3.215

object-group network obj-192.168.205.0_2
 network-object 192.168.205.0 255.255.255.0
object-group network obj-192.168.201.0_2
 network-object 192.168.201.0 255.255.255.0
object-group network obj-192.168.105.0_2
 network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
 network-object 192.168.101.0 255.255.255.0

nat (inside,outside) source static obj-192.168.101.0_2 obj-192.168.105.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source static obj-192.168.105.0_2 obj-192.168.205.0_2 destination static obj-10.100.3.215 obj-10.100.3.215

 

If I do a packet-tracer trace it appears to nat properly to a 205.x address, but when I actually attempt it from the pc it fails.  Is the syntax correct?  I asked for a trace-route from the pc at the time it failed but it wasn't provided.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Anthony Jenkins
Level 1
Level 1

‎03-20-2014 01:18 PM

I am trying to replace an asa 5510 with an asa 5515x.  When I try the same nat command as listed above I get this message

"ERROR: This syntax of nat command has been deprecated."

Is there an alternative to nat to an access-list?

 

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card