cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4451
Views
0
Helpful
7
Replies
Highlighted
Contributor

ASA 8.4 Dynamic PAT policy/S2S VPN issue

I am prepping new ASA 5525-X's for a client that has multiple S2S VPN's.  On some of the VPN connections, I need to do a policy nat to translate some of their subnets to a single IP address before it goes over the S2S VPN.  However, when I try to use a subnet, I keep getting the following error:

Subnet cannot be used as mapped source in dynamic nat policy.

This works fine on their old ASA's which are running 8.2 code.  I figured out I can use a network range, but cannot go over 65535 (or whatever it is) addresses in that range.  This is very annoying when they have multiple networks they want to allow over the S2S VPN.  Is there anyway around this or am I stuck creating a network range for each subnet?

TIA,

Dan

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA 8.4 Dynamic PAT policy/S2S VPN issue

I assume that you are trying to NAT 10.0.0.0/8 to 172.28.80.5 when it is accessing the remote network.

If the above assumption is correct, here is what you should configure:

nat (inside,outside) source dynamic obj-10.0.0.0 obj-172.28.80.5 destination static remote-network remote-network

7 REPLIES 7
Cisco Employee

ASA 8.4 Dynamic PAT policy/S2S VPN issue

Can you please post what you are trying to configure with its error message. And also what you are trying to configure, ie: what source and what destination and what do you want to NAT it to.

Contributor

ASA 8.4 Dynamic PAT policy/S2S VPN issue

Here is an example of what I am trying to do:

nat (inside,outside) source-dynamic obj-10.0.0.0 obj-10.0.0.0 destination static remote-network obj-172.28.80.5

When I try to apply this nat, this is the error I get:

Subnet cannot be used as mapped source in dynamic NAT policy.

In the example, obj-10.0.0.0 is the 10.0.0.0/8 network.  If I change the second obj-10.0.0.0 to a single IP address or a network range, it works fine. 

Cisco Employee

ASA 8.4 Dynamic PAT policy/S2S VPN issue

I assume that you are trying to NAT 10.0.0.0/8 to 172.28.80.5 when it is accessing the remote network.

If the above assumption is correct, here is what you should configure:

nat (inside,outside) source dynamic obj-10.0.0.0 obj-172.28.80.5 destination static remote-network remote-network

Contributor

ASA 8.4 Dynamic PAT policy/S2S VPN issue

Yes, that is what I am trying to do.  I put that command in and it took it.  However, I am somewhat confused on how the nat is written (still trying to wrap my head around post 8.3 natting).  To me it seems backwards when I look at it in the ASDM since under NAT Rules -> Action: Translated Packet, it has the source has the address I need the subnet natted to as the destination and the subnet as the destination.  This seems backwards.

Cisco Employee

ASA 8.4 Dynamic PAT policy/S2S VPN issue

It goes like this:

nat (inside,outside) source dynamic real-source mapped/NATed-source destination static real-destination mapped/NATed-destination

Contributor

ASA 8.4 Dynamic PAT policy/S2S VPN issue

Thanks for the explaination.  That makes sense now.

Beginner

ASA 8.4 Dynamic PAT policy/S2S VPN issue

Just in case someone else has a similar problem I had the same error, but my rule was failing becuase the network object had an underscore in it.