10-25-2010 02:46 PM - edited 03-11-2019 12:00 PM
trying to build a Policy NAT for internal source nework 172.30.243.0/24 to be NAT'ed 10.249.44.0/24 when attempting to access destination external 10.102.1.0/24 networks. packet-tracer shows 172.30.243.0 hosts getting NAT'ed to different global-NAT policy ID. I did verify that internal and NAT'ed networks are not being used in other policy-NAT policies:
access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0
nat (inside) 8 access-list mobile
global (outside) 8 10.249.44.1 netmask 255.255.255.0
route outside 10.249.44.0 255.255.255.0 10.249.0.17
any suggestions, thank you
Solved! Go to Solution.
10-26-2010 10:41 AM
Hello,
Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?
Gather the show xlate debug | inc 172.30.243.69 and also the logs?
Mike
10-25-2010 03:02 PM
Hello Kevin,
Can you run the packet tracer and also do a show xlate and paste it over here?
Thanks!
Mike
10-26-2010 09:57 AM
the intended policy NAT is used in phase 7, but then goes to a different policy NAT. Is the problem with the "top down" order of the nat policy process ids?
global (outside) 1 10.249.0.2
global (outside) 2 10.235.32.1
global (outside) 3 10.252.2.240
global (outside) 6 10.252.3.240
global (outside) 4 10.249.10.64
global (outside) 7 10.249.10.128 netmask 255.255.255.224
global (outside) 8 10.249.43.1
global (xdmz) 1 10.249.254.3
global (xxdmz) 1 192.168.112.3
nat (inside) 0 access-list pnet_nonat
nat (inside) 6 access-list DIGEX_LOADBALANCED_destinations
nat (inside) 3 access-list DIGEXdestinations
nat (inside) 2 access-list xxxxx
nat (inside) 4 access-list nga-nat
nat (inside) 7 access-list nga-nat2
nat (inside) 8 access-list att_mobile
nat (inside) 1 0.0.0.0 0.0.0.0
10-26-2010 10:41 AM
Hello,
Thanks for posting,Nat order of operation should take the global 8 if the access list nonat does not have the specified source. Now, can you try to do ping from 172.30.243.69 going to 10.102.0.1?
Gather the show xlate debug | inc 172.30.243.69 and also the logs?
Mike
11-10-2010 08:58 AM
mike,
the packet-tracer report basically showed its "top down" process. The way I configured the firewall was correct.... issue was with further downstream VPN IPSec router's interesting traffic ACL. But thanks for the help.
10-25-2010 03:03 PM
I noticed that your access-list looks a bit off
access-list mobile extended permit icmp 172.30.243.0 255.255.255.0 10.2.1.0 255.255.255.0
I believe it should be
access-list mobile extended permit ip 172.30.243.0 255.255.255.0 10.102.1.0 255.255.255.0
To reflect the 102.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide