12-04-2007 01:59 AM - edited 03-11-2019 04:38 AM
Hi
I am abouto to establish a l2l tunnel with remote site. But they say that my local network 10.10.10.0/24 is already in use at their site, so they want me to NAT my local network and go through the tunnel. I have ASA 5540. I have just 3 hosts in here to communicate over tunnel 10.10.10.x 10.10.10.y and 10.10.10.z So in this case I can establish this by
remote network=20.20.20.0/24
access_list x permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
nat (inside) 5 access-list x
global (outside) 5 somerealIPs of my outside interface here
I assume above is correct. But I dont want to waste my real IPs at outside interface. Can I write a random IP like
global (outside) 5 192.168.100.0 255.255.255.248
then modify the match ACL of vpn tunnel as
access-list matchacl permit ip 192.168.100.0 255.255.255.248 20.20.20.0 255.255.255.0
Is this correct? Or any other suggestions?
12-04-2007 02:09 AM
Hi,
From my knowledge your configuration looks fine.
The only caveat I can see is that you will need to ensure the hosts talking over the VPN are not natted by any previous NAT statements. This may mean you need to use ACL's rather than nat statements.
Cheers
Chris
ps: please rate :)
12-04-2007 02:25 AM
Hi
This looks fine as long as the remote site does not need to intitiate any of the connections to your end. If they do you will need to setup static translations otherwise they will not be able to connect.
Jon
12-04-2007 02:27 AM
Hi Jon,
Out of interest and completeness, would this then be an inside-inside static or outside-outside.
Cheers
Chris
12-04-2007 02:31 AM
Chris
It would be a "static (inside,outside) ...." because you are presenting the addresses to the remote end.
You raise an interesting point though. You will need them to NAT their 10.x.x.x addresses as well because if they don't when they enter you LAN after being Natted from 192.168.x.x the destination of the packet will 10.x.x.x and the source will be 10.x.x.x.
So either they need to NAT their source IP's or you need to NAT them.
Jon
12-04-2007 07:13 AM
Chris
Apologies, please ignore previous bit about having to NAT their source IP addresses. For some reason i assumed they were using 10.x.x.x addressing as well but they aren't.
The bit about the static command still
stands though.
Jon
12-04-2007 03:09 AM
Thanks for contributing guys
So following is OK
remote network=20.20.20.0/24
access_list x permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
nat (inside) 5 access-list x
global (outside) 5 192.168.100.0 255.255.255.248
access-list matchacl permit ip 192.168.100.0 255.255.255.248 20.20.20.0 255.255.255.0
static (inside,outside) 10.10.10.x 192.168.100.x netmask 255.255.255.0
static (inside,outside) 10.10.10.y 192.168.100.y netmask 255.255.255.0
static (inside,outside) 10.10.10.z 192.168.100.z netmask 255.255.255.0
As I mentioned, my outside interface has a real IP like 212.xx.34.xx/29. In this case, outside interface is aware of 212.xx.34.xx/29 network so I can write ACL like
access-list outside_access_in permit tcp any host 212.xx.34.xx eq 3389
access-list outside_access_in permit tcp any host 212.xx.34.xy eq 3389
access-list outside_access_in permit tcp any host 212.xx.34.xz eq 3389
access-group outside_access_in in interface outside
Here is the issue. I have to apply ACLs for following statics
static (inside,outside) 10.10.10.x 192.168.100.x netmask 255.255.255.0
static (inside,outside) 10.10.10.y 192.168.100.y netmask 255.255.255.0
static (inside,outside) 10.10.10.z 192.168.100.z netmask 255.255.255.0
access-list xxxx permit ip 20.20.20.0 255.255.255.0 192.168.100.0 255.255.255.248
xxxx should be outside_access_in ? If yes how does ASA know that 192.168.100.0 network is on outside? because of the global statement?
Is above the only way for achieving what I want, or are there any alternates?
Regards
12-04-2007 03:11 AM
sorry statics should be
static (inside,outside) 192.168.100.x 10.10.10.x netmask 255.255.255.0
static (inside,outside) 192.168.100.y 10.10.10.y netmask 255.255.255.0
static (inside,outside) 192.168.100.z 10.10.10.z netmask 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: