cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4927
Views
0
Helpful
7
Replies
deyster94
Contributor

ASA 8.4 Dynamic PAT policy/S2S VPN issue

I am prepping new ASA 5525-X's for a client that has multiple S2S VPN's.  On some of the VPN connections, I need to do a policy nat to translate some of their subnets to a single IP address before it goes over the S2S VPN.  However, when I try to use a subnet, I keep getting the following error:

Subnet cannot be used as mapped source in dynamic nat policy.

This works fine on their old ASA's which are running 8.2 code.  I figured out I can use a network range, but cannot go over 65535 (or whatever it is) addresses in that range.  This is very annoying when they have multiple networks they want to allow over the S2S VPN.  Is there anyway around this or am I stuck creating a network range for each subnet?

TIA,

Dan

1 ACCEPTED SOLUTION

Accepted Solutions

I assume that you are trying to NAT 10.0.0.0/8 to 172.28.80.5 when it is accessing the remote network.

If the above assumption is correct, here is what you should configure:

nat (inside,outside) source dynamic obj-10.0.0.0 obj-172.28.80.5 destination static remote-network remote-network

View solution in original post

7 REPLIES 7
Jennifer Halim
Cisco Employee

Can you please post what you are trying to configure with its error message. And also what you are trying to configure, ie: what source and what destination and what do you want to NAT it to.

Here is an example of what I am trying to do:

nat (inside,outside) source-dynamic obj-10.0.0.0 obj-10.0.0.0 destination static remote-network obj-172.28.80.5

When I try to apply this nat, this is the error I get:

Subnet cannot be used as mapped source in dynamic NAT policy.

In the example, obj-10.0.0.0 is the 10.0.0.0/8 network.  If I change the second obj-10.0.0.0 to a single IP address or a network range, it works fine. 

I assume that you are trying to NAT 10.0.0.0/8 to 172.28.80.5 when it is accessing the remote network.

If the above assumption is correct, here is what you should configure:

nat (inside,outside) source dynamic obj-10.0.0.0 obj-172.28.80.5 destination static remote-network remote-network

View solution in original post

Yes, that is what I am trying to do.  I put that command in and it took it.  However, I am somewhat confused on how the nat is written (still trying to wrap my head around post 8.3 natting).  To me it seems backwards when I look at it in the ASDM since under NAT Rules -> Action: Translated Packet, it has the source has the address I need the subnet natted to as the destination and the subnet as the destination.  This seems backwards.

It goes like this:

nat (inside,outside) source dynamic real-source mapped/NATed-source destination static real-destination mapped/NATed-destination

Thanks for the explaination.  That makes sense now.

ccollins
Beginner

Just in case someone else has a similar problem I had the same error, but my rule was failing becuase the network object had an underscore in it.

Content for Community-Ad