Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Issue setting up policy nat for VPN Cisco ASA 5550

Posted on 2013-05-30
2
Medium Priority
?
519 Views
Last Modified: 2013-10-08
I have a Cisco ASA 5550 running ASA software version 8.2

Trying to setup a policy NAT for a VPN to a remote office that has a conflict with the local subnet being uses on our side.  It appears like the Static NAT is not happening and I haven't been able to see why.

local subnet: 192.168.60.0/23
remote subnet: 192.168.10.0/24

translated subnet: 192.168.160.0/23

Here are some of the relevant configuration lines from the ASA:

ACL to identify traffic for policy nat:
access-list inside_nat_static extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

Static NAT statement for policy NAT:
static (inside,outside) 192.168.160.0  access-list inside_nat_static

NAT exempt statements:
global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.60.0 255.255.254.0

The inside_nat0_outbound ACL has the following entry in it:
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.254.0 192.168.10.0 255.255.255.0

When I do a "show NAT inside outside" command I see the following results:

match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 16309, untranslate_hits = 0

  match ip inside 192.168.60.0 255.255.254.0 outside 192.168.10.0 255.255.255.0 static translation to A-192.168.160.0
    translate_hits = 0, untranslate_hits = 0

If I do a "show access-list inside_nat_static" the hit counter shows 0 as if it isn't even trying do the static translation.

Any thoughts or suggestions would be helpful.
0
Comment
Question by:keagle79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 39209728
Your nat exemption and static nat looks like it covers the same traffic. The nat exemption will take priority over the static nat because the nat exemption is entry 0 whereas your other entry is number 10.

In you nat exemption acl, you should be denying traffic from 192.168.60.0/24 going to 192.168.10.0/24. This will deny the traffic from being exempted from nat.  Then the static nat should take effect.

Also, how do you expect traffic to flow on this VPN? Will all traffic be initiated from inside your network? If traffic will always be initiated from one side or another, a policy PAT will do fine, but if you expect bidirectional traffic, you will probably need to define all the one-to-one nats for this purpose.

I don't have an asa with that version to test with, but your nat might translate to the host address 192.168.160.0/32, and not the subnet. Not sure if that was your intention.
0
 

Author Comment

by:keagle79
ID: 39213010
Traffic is bidirectional

I will try to add the deny statement and see if that changes the static NAT
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question