Solved: Twice NAT not working

Tarik Admani · ‎08-23-2012

Hi,

Our NOC is trying to configure a site to site tunnel to one of our customers. The tunnel is up and operational, however we can't get our NAT rules to match what we want.

We are running ASA version 8.4(3)

The traffic is sourced from 172.16.1.50 (inside1) and destined to192.168.2.9 (outside), the nat configuration is posted below:

NOC-ASA5510-01# show run nat

nat (inside1,inside2) source static ng-noc-networks ng-noc-networks destination static ng-inside2-networks ng-inside2-networks

nat (inside1,outside) source static test test-EXT destination static otherside otherside

object network obj_any

nat (inside1,outside) dynamic interface dns

object network servers-noc

nat (inside1,outside) static 192.168.1.68

Here is the output from the show nat detailed:

NOC-ASA5510-01# show nat detail

Manual NAT Policies (Section 1)

I left off entry 1 but it doesnt have any translated hits either

2 (inside1) to (outside) source static test test-EXT destination static otherside otherside

translate_hits = 0, untranslate_hits = 624

Source - Origin: 172.16.1.50/32, Translated: 192.168.1.67/32

Destination - Origin:192.168.2.9/32, Translated:192.168.2.9/32

Auto NAT Policies (Section 2)

1 (inside1) to (outside) source static servers-noc 192.168.1.68

translate_hits = 0, untranslate_hits = 187

Source - Origin: 172.16.1.101/32, Translated: 192.168.1.68/32

2 (inside1) to (outside) source dynamic obj_any interface dns

translate_hits = 58417, untranslate_hits = 1511

Source - Origin: 0.0.0.0/0, Translated: 192.168.1.66/29

Here are the network objects:

object network test

host 172.16.1.50

object network test-EXT

host 192.168.1.67

object network otherside

host 192.168.2.9

Here is the vpn configuration:

crypto map outside_map 1 match address tunnelcrypto

crypto map outside_map 1 set peer 192.168.3.4

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

access-list tunnelcrypto extended permit ip host 192.168.1.67 host 192.168.2.9

access-list tunnelcrypto extended permit ip host192.168.2.9 host 192.168.1.67

When we run packet capture using icmp code 8 type 0 (echo request) it matches an object nat statement and not the twice nat.

NOC-ASA5510-01# packet-tracer input inside1 icmp 172.16.1.50 8 0 192.168.2.9 detailed

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside1,outside) dynamic interface dns

Additional Information:

Dynamic translate 172.16.1.50/10 to 192.168.1.66/10

Thanks,

Tarik Admani

Julio Carvajal · ‎08-23-2012

Hello Tarik,

Just to clean the config:

On the crypto ACL you do not need to set the returning traffic

"access-list tunnelcrypto extended permit ip host192.168.2.9 host 192.168.1.67"

Now regarding the NAT problem would you mind to do the following:

object network obj_any

No nat (inside1,outside) dynamic interface dns

Then create an object for the internal subnet

object network Internal_Subnet

subnet x.x.x.x x.x.x.x.x

nat (inside,outside) source dynamic Internal_Subnet interface

Do a clear xlate and finally try the packet tracer and provide me the output please

Regards!

Julio

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-23-2012

Hello Tarik,

Just to clean the config:

On the crypto ACL you do not need to set the returning traffic

"access-list tunnelcrypto extended permit ip host192.168.2.9 host 192.168.1.67"

Now regarding the NAT problem would you mind to do the following:

object network obj_any

No nat (inside1,outside) dynamic interface dns

Then create an object for the internal subnet

object network Internal_Subnet

subnet x.x.x.x x.x.x.x.x

nat (inside,outside) source dynamic Internal_Subnet interface

Do a clear xlate and finally try the packet tracer and provide me the output please

Regards!

Julio

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Tarik Admani · ‎08-24-2012

Thanks Julio that did the trick!

Tarik Admani
*Please rate helpful posts*