Solved

Issue setting up policy nat for VPN Cisco ASA 5550

Posted on 2013-05-30
2
495 Views
Last Modified: 2013-10-08
I have a Cisco ASA 5550 running ASA software version 8.2

Trying to setup a policy NAT for a VPN to a remote office that has a conflict with the local subnet being uses on our side.  It appears like the Static NAT is not happening and I haven't been able to see why.

local subnet: 192.168.60.0/23
remote subnet: 192.168.10.0/24

translated subnet: 192.168.160.0/23

Here are some of the relevant configuration lines from the ASA:

ACL to identify traffic for policy nat:
access-list inside_nat_static extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

Static NAT statement for policy NAT:
static (inside,outside) 192.168.160.0  access-list inside_nat_static

NAT exempt statements:
global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.60.0 255.255.254.0

The inside_nat0_outbound ACL has the following entry in it:
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

When I do a "show NAT inside outside" command I see the following results:

match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 16309, untranslate_hits = 0

  match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0 static translation to A-192.168.160.0
    translate_hits = 0, untranslate_hits = 0

If I do a "show access-list inside_nat_static" the hit counter shows 0 as if it isn't even trying do the static translation.

Any thoughts or suggestions would be helpful.
0
Comment
Question by:keagle79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39209728
Your nat exemption and static nat looks like it covers the same traffic. The nat exemption will take priority over the static nat because the nat exemption is entry 0 whereas your other entry is number 10.

In you nat exemption acl, you should be denying traffic from 192.168.60.0/24 going to 192.168.10.0/24. This will deny the traffic from being exempted from nat.  Then the static nat should take effect.

Also, how do you expect traffic to flow on this VPN? Will all traffic be initiated from inside your network? If traffic will always be initiated from one side or another, a policy PAT will do fine, but if you expect bidirectional traffic, you will probably need to define all the one-to-one nats for this purpose.

I don't have an asa with that version to test with, but your nat might translate to the host address 192.168.160.0/32, and not the subnet. Not sure if that was your intention.
0
 

Author Comment

by:keagle79
ID: 39213010
Traffic is bidirectional

I will try to add the deny statement and see if that changes the static NAT
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question