Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Issue setting up policy nat for VPN Cisco ASA 5550

Posted on 2013-05-30
2
491 Views
Last Modified: 2013-10-08
I have a Cisco ASA 5550 running ASA software version 8.2

Trying to setup a policy NAT for a VPN to a remote office that has a conflict with the local subnet being uses on our side.  It appears like the Static NAT is not happening and I haven't been able to see why.

local subnet: 192.168.60.0/23
remote subnet: 192.168.10.0/24

translated subnet: 192.168.160.0/23

Here are some of the relevant configuration lines from the ASA:

ACL to identify traffic for policy nat:
access-list inside_nat_static extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

Static NAT statement for policy NAT:
static (inside,outside) 192.168.160.0  access-list inside_nat_static

NAT exempt statements:
global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.60.0 255.255.254.0

The inside_nat0_outbound ACL has the following entry in it:
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

When I do a "show NAT inside outside" command I see the following results:

match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 16309, untranslate_hits = 0

  match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0 static translation to A-192.168.160.0
    translate_hits = 0, untranslate_hits = 0

If I do a "show access-list inside_nat_static" the hit counter shows 0 as if it isn't even trying do the static translation.

Any thoughts or suggestions would be helpful.
0
Comment
Question by:keagle79
2 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39209728
Your nat exemption and static nat looks like it covers the same traffic. The nat exemption will take priority over the static nat because the nat exemption is entry 0 whereas your other entry is number 10.

In you nat exemption acl, you should be denying traffic from 192.168.60.0/24 going to 192.168.10.0/24. This will deny the traffic from being exempted from nat.  Then the static nat should take effect.

Also, how do you expect traffic to flow on this VPN? Will all traffic be initiated from inside your network? If traffic will always be initiated from one side or another, a policy PAT will do fine, but if you expect bidirectional traffic, you will probably need to define all the one-to-one nats for this purpose.

I don't have an asa with that version to test with, but your nat might translate to the host address 192.168.160.0/32, and not the subnet. Not sure if that was your intention.
0
 

Author Comment

by:keagle79
ID: 39213010
Traffic is bidirectional

I will try to add the deny statement and see if that changes the static NAT
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Getting locked out and can't access Cisco via the web 18 76
2 Gateways (bandwidth) - One domain 7 82
Cable suggestions 5 73
igmp snooping in layer 2 switch 4 12
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question