Issue setting up policy nat for VPN Cisco ASA 5550
I have a Cisco ASA 5550 running ASA software version 8.2
Trying to setup a policy NAT for a VPN to a remote office that has a conflict with the local subnet being uses on our side. It appears like the Static NAT is not happening and I haven't been able to see why.
local subnet: 192.168.60.0/23
remote subnet: 192.168.10.0/24
translated subnet: 192.168.160.0/23
Here are some of the relevant configuration lines from the ASA:
ACL to identify traffic for policy nat:
access-list inside_nat_static extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0
Static NAT statement for policy NAT:
static (inside,outside) 192.168.160.0 access-list inside_nat_static
NAT exempt statements:
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.60.0 255.255.254.0
The inside_nat0_outbound ACL has the following entry in it:
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0
When I do a "show NAT inside outside" command I see the following results:
match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0
NAT exempt
translate_hits = 16309, untranslate_hits = 0
match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0 static translation to A-192.168.160.0
translate_hits = 0, untranslate_hits = 0
If I do a "show access-list inside_nat_static" the hit counter shows 0 as if it isn't even trying do the static translation.
Any thoughts or suggestions would be helpful.
Trying to setup a policy NAT for a VPN to a remote office that has a conflict with the local subnet being uses on our side. It appears like the Static NAT is not happening and I haven't been able to see why.
local subnet: 192.168.60.0/23
remote subnet: 192.168.10.0/24
translated subnet: 192.168.160.0/23
Here are some of the relevant configuration lines from the ASA:
ACL to identify traffic for policy nat:
access-list inside_nat_static extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0
Static NAT statement for policy NAT:
static (inside,outside) 192.168.160.0 access-list inside_nat_static
NAT exempt statements:
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.60.0 255.255.254.0
The inside_nat0_outbound ACL has the following entry in it:
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0
When I do a "show NAT inside outside" command I see the following results:
match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0
NAT exempt
translate_hits = 16309, untranslate_hits = 0
match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0 static translation to A-192.168.160.0
translate_hits = 0, untranslate_hits = 0
If I do a "show access-list inside_nat_static" the hit counter shows 0 as if it isn't even trying do the static translation.
Any thoughts or suggestions would be helpful.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will try to add the deny statement and see if that changes the static NAT