12-04-2014 01:20 PM
I am trying to build a tunnel to a customer with NATs and I am able to get 3 out of the 4 networks to communicate. The 1 network that doesnt respond is a DMZ network. Config snippets below. What am I doing wrong with the 10.0.87.0/24 network? The error on the log is "Routing failed to locate next hop"
interface Ethernet0/1
speed 100
duplex half
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ospf cost 10
rip send version 1
!
interface Ethernet0/2
nameif DMZ
security-level 4
ip address 172.16.1.1 255.255.255.0
ospf cost 10
object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network comm-10.240.0.0
subnet 10.240.0.0 255.255.0.0
object network obj-10.0.12.0
subnet 10.0.12.0 255.255.255.0
object network obj-10.0.14.0
subnet 10.0.14.0 255.255.255.0
object network DNI-NAT1
subnet 10.0.84.0 255.255.255.0
object network DNI-NAT2
subnet 10.0.85.0 255.255.255.0
object network DNI-NAT3
subnet 10.0.86.0 255.255.255.0
object network DNI-NAT4
subnet 10.0.87.0 255.255.255.0
object-group network DNI_NAT
network-object object DNI-NAT1
network-object object DNI-NAT2
network-object object DNI-NAT3
network-object object DNI-NAT4
access-list DNI_VPN_NAT1 extended permit ip 10.0.0.0 255.255.255.0 object comm-10.240.0.0
access-list DNI_VPN_NAT2 extended permit ip 10.0.12.0 255.255.255.0 object comm-10.240.0.0
access-list DNI_VPN_NAT3 extended permit ip 10.0.14.0 255.255.255.0 object comm-10.240.0.0
access-list DNI_VPN_NAT4 extended permit ip 172.16.1.0 255.255.255.0 object comm-10.240.0.0
access-list DNI-VPN-Traffic extended permit ip object-group DNI_NAT object comm-10.240.0.0
nat (inside,outside) source static obj-10.0.12.0 DNI-NAT2 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
nat (inside,outside) source static obj-10.0.14.0 DNI-NAT3 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
nat (inside,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
Solved! Go to Solution.
12-05-2014 08:43 AM
Hello,
I see that the issue here is the NAT statement:
nat (inside,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
The correct Statement would be:
nat (DMZ,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
Go ahead and do a packet tracer:
packet-tracer input DMZ tcp 172.16.1.15 443 10.240.X.X detailed
So you will see the NAT exempt working now.
Let me know how it works out!
Please don't forget to rate and mark as correct the helpful Post!
Regards,
David Castro,
12-05-2014 08:43 AM
Hello,
I see that the issue here is the NAT statement:
nat (inside,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
The correct Statement would be:
nat (DMZ,outside) source static obj-172.16.1.0 DNI-NAT4 destination static comm-10.240.0.0 comm-10.240.0.0 net-to-net no-proxy-arp
Go ahead and do a packet tracer:
packet-tracer input DMZ tcp 172.16.1.15 443 10.240.X.X detailed
So you will see the NAT exempt working now.
Let me know how it works out!
Please don't forget to rate and mark as correct the helpful Post!
Regards,
David Castro,
12-05-2014 09:06 AM
Thank you David,
I am going to go jump off a cliff now. This was silly!
12-05-2014 09:14 AM
It was a pleasure to help you on this!!
Have a great day!
David Castro,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide