07-17-2008 06:05 AM
Hi All
How do i NAT my internal network to different IP range before reaching destinaton LAN
Solved! Go to Solution.
07-17-2008 11:31 PM
Hi,
No, you don't need NAT0 anymore and actully it is mandatory to remove it as NAT0 takes precedence over the other NAT statements.
You should translate all subnet to one IP using policy-based NAT
nat (inside) 10 access-list VPN-NAT
global (outside) 10 172.16.20.1
access-list VPN-NAT permit ip 192.168.10.0 255.255.255.255 192.50.100.32 255.255.255.240
The crypto map access-list:
access-list VPN permit ip host 172.16.20.1 192.50.100.32 255.255.255.240
To check the NAT:
sh xlate
To test the full setup use the "packet-tracer" command, that generates a bogus packet with the characteristics you want and passes it to all the ASA internal process and shows you the result.
Please rate if this helped.
Regards,
Daniel
07-17-2008 08:33 AM
What device are you using?
Router or ASA?
Regards,
Daniel
07-17-2008 05:56 PM
Hi
We are using ASA 5505 Version 7.2(2)
Other end is a data centre and also use Cisco ASA Version 8.02
I Have done the L2L VPN and it is success as i can see bellow
IKE Peer: 202.6.X.Y
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
how ever they want us to NAT our our LAN IP (192.168.10.0/24) to 172.16.20.0/27 althouth actual IP of data centre is 192.50.100.32/28
1).Do i need to still use nat 0 for 192.168.10 /24 to 192.50.100.32/28
2).How do i use NAT to translate 192.168.10.0/24 to 172.16.20.0/27 before reach data centre via VPN
Thanks,
Janaka
07-17-2008 11:31 PM
Hi,
No, you don't need NAT0 anymore and actully it is mandatory to remove it as NAT0 takes precedence over the other NAT statements.
You should translate all subnet to one IP using policy-based NAT
nat (inside) 10 access-list VPN-NAT
global (outside) 10 172.16.20.1
access-list VPN-NAT permit ip 192.168.10.0 255.255.255.255 192.50.100.32 255.255.255.240
The crypto map access-list:
access-list VPN permit ip host 172.16.20.1 192.50.100.32 255.255.255.240
To check the NAT:
sh xlate
To test the full setup use the "packet-tracer" command, that generates a bogus packet with the characteristics you want and passes it to all the ASA internal process and shows you the result.
Please rate if this helped.
Regards,
Daniel
07-17-2008 11:52 PM
Hi Daniel
Do i need to use static translations like bellow as well ?
static (inside,outside) 172.16.20.1 access-list VPN-NAT
Regards,
Janaka
07-18-2008 01:57 AM
Hi,
No, static is used only for one-to-one translations.
Please rate if this helped.
Regards,
Daniel
07-19-2008 08:49 PM
Hi Daniel
It works now.However there was a mismatch i found in ipsec hash and corrected to match destination.
Regards,
Janaka
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide