Solved

Issue setting up policy nat for VPN Cisco ASA 5550

Posted on 2013-05-30
2
489 Views
Last Modified: 2013-10-08
I have a Cisco ASA 5550 running ASA software version 8.2

Trying to setup a policy NAT for a VPN to a remote office that has a conflict with the local subnet being uses on our side.  It appears like the Static NAT is not happening and I haven't been able to see why.

local subnet: 192.168.60.0/23
remote subnet: 192.168.10.0/24

translated subnet: 192.168.160.0/23

Here are some of the relevant configuration lines from the ASA:

ACL to identify traffic for policy nat:
access-list inside_nat_static extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

Static NAT statement for policy NAT:
static (inside,outside) 192.168.160.0  access-list inside_nat_static

NAT exempt statements:
global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.60.0 255.255.254.0

The inside_nat0_outbound ACL has the following entry in it:
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

When I do a "show NAT inside outside" command I see the following results:

match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 16309, untranslate_hits = 0

  match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0 static translation to A-192.168.160.0
    translate_hits = 0, untranslate_hits = 0

If I do a "show access-list inside_nat_static" the hit counter shows 0 as if it isn't even trying do the static translation.

Any thoughts or suggestions would be helpful.
0
Comment
Question by:keagle79
2 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39209728
Your nat exemption and static nat looks like it covers the same traffic. The nat exemption will take priority over the static nat because the nat exemption is entry 0 whereas your other entry is number 10.

In you nat exemption acl, you should be denying traffic from 192.168.60.0/24 going to 192.168.10.0/24. This will deny the traffic from being exempted from nat.  Then the static nat should take effect.

Also, how do you expect traffic to flow on this VPN? Will all traffic be initiated from inside your network? If traffic will always be initiated from one side or another, a policy PAT will do fine, but if you expect bidirectional traffic, you will probably need to define all the one-to-one nats for this purpose.

I don't have an asa with that version to test with, but your nat might translate to the host address 192.168.160.0/32, and not the subnet. Not sure if that was your intention.
0
 

Author Comment

by:keagle79
ID: 39213010
Traffic is bidirectional

I will try to add the deny statement and see if that changes the static NAT
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question