Solved: ASA 8.4 Dynamic PAT policy/S2S VPN issue

deyster94 · ‎07-18-2012

I am prepping new ASA 5525-X's for a client that has multiple S2S VPN's. On some of the VPN connections, I need to do a policy nat to translate some of their subnets to a single IP address before it goes over the S2S VPN. However, when I try to use a subnet, I keep getting the following error:

Subnet cannot be used as mapped source in dynamic nat policy.

This works fine on their old ASA's which are running 8.2 code. I figured out I can use a network range, but cannot go over 65535 (or whatever it is) addresses in that range. This is very annoying when they have multiple networks they want to allow over the S2S VPN. Is there anyway around this or am I stuck creating a network range for each subnet?

TIA,

Dan

Jennifer Halim · ‎07-18-2012

I assume that you are trying to NAT 10.0.0.0/8 to 172.28.80.5 when it is accessing the remote network.

If the above assumption is correct, here is what you should configure:

nat (inside,outside) source dynamic obj-10.0.0.0 obj-172.28.80.5 destination static remote-network remote-network

View solution in original post

Jennifer Halim · ‎07-18-2012

Can you please post what you are trying to configure with its error message. And also what you are trying to configure, ie: what source and what destination and what do you want to NAT it to.

deyster94 · ‎07-18-2012

Here is an example of what I am trying to do:

nat (inside,outside) source-dynamic obj-10.0.0.0 obj-10.0.0.0 destination static remote-network obj-172.28.80.5

When I try to apply this nat, this is the error I get:

Subnet cannot be used as mapped source in dynamic NAT policy.

In the example, obj-10.0.0.0 is the 10.0.0.0/8 network. If I change the second obj-10.0.0.0 to a single IP address or a network range, it works fine.

Jennifer Halim · ‎07-18-2012

I assume that you are trying to NAT 10.0.0.0/8 to 172.28.80.5 when it is accessing the remote network.

If the above assumption is correct, here is what you should configure:

nat (inside,outside) source dynamic obj-10.0.0.0 obj-172.28.80.5 destination static remote-network remote-network

deyster94 · ‎07-18-2012

Yes, that is what I am trying to do. I put that command in and it took it. However, I am somewhat confused on how the nat is written (still trying to wrap my head around post 8.3 natting). To me it seems backwards when I look at it in the ASDM since under NAT Rules -> Action: Translated Packet, it has the source has the address I need the subnet natted to as the destination and the subnet as the destination. This seems backwards.

Jennifer Halim · ‎07-18-2012

It goes like this:

nat (inside,outside) source dynamic real-source mapped/NATed-source destination static real-destination mapped/NATed-destination

deyster94 · ‎07-18-2012

Thanks for the explaination. That makes sense now.

ccollins · ‎08-02-2013

Just in case someone else has a similar problem I had the same error, but my rule was failing becuase the network object had an underscore in it.