NAT help with ASA 5520

Unanswered Question
Dec 21st, 2008
User Badges:

Hi,


I have a VPN to an external company. This VPN is connected to the ASA's outside interface and they just need to access VLAN which is connected to the ASA - all works. This VLAN they connect to is on a Cisco 3750 switch which is simply connecte to one of the gigabit ports on the ASA.


This external company connects to the VLAN IP range of 172.29.x.x/16, now in my LAN I have a monitoring server on 192.168.12.91 that needs to ping a server on their LAN which is 10.10.1.1, they already have a server on 192.168.12.91 so how can I NAT this IP to say a 172.29.x.x ip?


My server is

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sun, 12/21/2008 - 08:18
User Badges:
  • Green, 3000 points or more

This external company connects to the VLAN IP range of 172.29.x.x/16, now in my LAN I have a monitoring server on 192.168.12.91 that needs to ping a server on their LAN which is 10.10.1.1,they already have a server on 192.168.12.91 so how can I NAT this IP to say a 172.29.x.x ip?


If I understand correctly , you have a server on the inside as 192.168.12.91 and needs to connect to 10.10.1.1 server on other side, but they do also have a server with ip of 192.168.12.91, you can nat 192.168.12.91 in your LAN for it to appear as 172.29.x.x address through that tunnel by using Policy nat


Follow this example.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml


on your side ASA, you can do something similar to example above in link


access-list new extended permit ip 172.29.x.x 255.255.255.0 10.10.1.1 255.255.255.0


access-list policy-nat extended permit ip 192.168.12.91 255.255.255.0 10.10.1.1 255.255.255.0


static (inside,outside) 172.29.x.x access-list policy-nat



whiteford Sun, 12/21/2008 - 09:21
User Badges:

Hi,


I have not used a policy NAT before, are they dynamic and only used when needed?


I noticed you have to create a new access list:


access-list "new", do I have to create a new name or can I use an existing one? I'm just not sure if it will mess things up or not.


They current ones I have are:


access-list outside_access_in

access-list inside_access_in

access-list DMZ_access_in

access-list inside_outbound_nat0_acl


access-list DMZ6_access_in - this is the 172.29.x.x vlan

JORGE RODRIGUEZ Sun, 12/21/2008 - 10:39
User Badges:
  • Green, 3000 points or more

I have not used a policy NAT before, are they dynamic and only used when needed?


Generally when you have overlapping networks you can use Policy nat, and it seems from your description there is overlapping networks.


To be clear where is 192.168.12.91 host? is it on the inside or DMZ, is important becuase policy nat needs to be correct in terms of where will

it policy nat against


the address you use to nat 192.168.12.91 does not necessarily have to be a 172.29.x.x address,

it could be any other address as long it does not overlap on the other end.



You don't have to create a new acl, use the same u are using for that l2l tunnel, you can use your currect ant exempt access list inside_outbound_nat0_acl which maps to your crypto acl


add another line in your nat exempt acl of this tunnel.


e.i


access-list inside_outbound_nat0_acl extended permit ip 172.29.x.x 255.255.255.0 10.10.1.1 255.255.255.0


access-list policy-nat extended permit ip 192.168.12.91 255.255.255.0 10.10.1.1 255.255.255.0

static (interface_where_192.168.12.91_resides,outside) 172.29.x.x access-list policy-nat



Always..always backup your configuration in text format.




could you post the config to get a picture of your l2l cls.


Regards





whiteford Sun, 12/21/2008 - 11:06
User Badges:

Hi, the 192.168.12.91 host is on my LAN (inside). This VPN to this external company has the 172.29.x.x/16 subnet allowed only through this SA's, so I thought it I NAT the 192.168.12.91 IP to that range there is less to configure on the phase 2 IPSec that is working.


This is what I found:


access-list outside_2_cryptomap extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0



access-list outside_access_in extended permit icmp object-group 10.10.1.0 object-group 172.29.0.0 echo-reply


access-list inside_outbound_nat0_acl extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0


access-list DMZ_access_in extended permit icmp object-group 172.29.0.0 object-group 10.10.1.0 echo-reply

JORGE RODRIGUEZ Sun, 12/21/2008 - 11:59
User Badges:
  • Green, 3000 points or more

so you are already using 172.29.0.0/16 to nat any inside hosts using this 172.29.0.0 network..


not to get confused please post the complete config to see the flow of your nat exempt and global statement .. before suggesting fruther.





whiteford Sun, 12/21/2008 - 12:17
User Badges:

Hi, I will need to spend some time editing my config for security reasons, but will do, unless you can state the sections you need.


For my understanding you say I am using 172.29.0.0/16 to nat any inside address, what part of the config does that? This NAT exempt rule access-list inside_outbound_nat0_acl extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0



Actions

This Discussion