Issue setting up policy nat for VPN Cisco ASA 5550

I have a Cisco ASA 5550 running ASA software version 8.2

Trying to setup a policy NAT for a VPN to a remote office that has a conflict with the local subnet being uses on our side.  It appears like the Static NAT is not happening and I haven't been able to see why.

local subnet: 192.168.60.0/23
remote subnet: 192.168.10.0/24

translated subnet: 192.168.160.0/23

Here are some of the relevant configuration lines from the ASA:

ACL to identify traffic for policy nat:
access-list inside_nat_static extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

Static NAT statement for policy NAT:
static (inside,outside) 192.168.160.0  access-list inside_nat_static

NAT exempt statements:
global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.60.0 255.255.254.0

The inside_nat0_outbound ACL has the following entry in it:
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

When I do a "show NAT inside outside" command I see the following results:

match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 16309, untranslate_hits = 0

  match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0 static translation to A-192.168.160.0
    translate_hits = 0, untranslate_hits = 0

If I do a "show access-list inside_nat_static" the hit counter shows 0 as if it isn't even trying do the static translation.

Any thoughts or suggestions would be helpful.
keagle79Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
rauenpcConnect With a Mentor Commented:
Your nat exemption and static nat looks like it covers the same traffic. The nat exemption will take priority over the static nat because the nat exemption is entry 0 whereas your other entry is number 10.

In you nat exemption acl, you should be denying traffic from 192.168.60.0/24 going to 192.168.10.0/24. This will deny the traffic from being exempted from nat.  Then the static nat should take effect.

Also, how do you expect traffic to flow on this VPN? Will all traffic be initiated from inside your network? If traffic will always be initiated from one side or another, a policy PAT will do fine, but if you expect bidirectional traffic, you will probably need to define all the one-to-one nats for this purpose.

I don't have an asa with that version to test with, but your nat might translate to the host address 192.168.160.0/32, and not the subnet. Not sure if that was your intention.
0
 
keagle79Author Commented:
Traffic is bidirectional

I will try to add the deny statement and see if that changes the static NAT
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.