12-21-2008 03:39 AM - edited 03-11-2019 07:28 AM
Hi,
I have a VPN to an external company. This VPN is connected to the ASA's outside interface and they just need to access VLAN which is connected to the ASA - all works. This VLAN they connect to is on a Cisco 3750 switch which is simply connecte to one of the gigabit ports on the ASA.
This external company connects to the VLAN IP range of 172.29.x.x/16, now in my LAN I have a monitoring server on 192.168.12.91 that needs to ping a server on their LAN which is 10.10.1.1, they already have a server on 192.168.12.91 so how can I NAT this IP to say a 172.29.x.x ip?
My server is
12-21-2008 08:18 AM
This external company connects to the VLAN IP range of 172.29.x.x/16, now in my LAN I have a monitoring server on 192.168.12.91 that needs to ping a server on their LAN which is 10.10.1.1,they already have a server on 192.168.12.91 so how can I NAT this IP to say a 172.29.x.x ip?
If I understand correctly , you have a server on the inside as 192.168.12.91 and needs to connect to 10.10.1.1 server on other side, but they do also have a server with ip of 192.168.12.91, you can nat 192.168.12.91 in your LAN for it to appear as 172.29.x.x address through that tunnel by using Policy nat
Follow this example.
on your side ASA, you can do something similar to example above in link
access-list new extended permit ip 172.29.x.x 255.255.255.0 10.10.1.1 255.255.255.0
access-list policy-nat extended permit ip 192.168.12.91 255.255.255.0 10.10.1.1 255.255.255.0
static (inside,outside) 172.29.x.x access-list policy-nat
12-21-2008 09:21 AM
Hi,
I have not used a policy NAT before, are they dynamic and only used when needed?
I noticed you have to create a new access list:
access-list "new", do I have to create a new name or can I use an existing one? I'm just not sure if it will mess things up or not.
They current ones I have are:
access-list outside_access_in
access-list inside_access_in
access-list DMZ_access_in
access-list inside_outbound_nat0_acl
access-list DMZ6_access_in - this is the 172.29.x.x vlan
12-21-2008 10:39 AM
I have not used a policy NAT before, are they dynamic and only used when needed?
Generally when you have overlapping networks you can use Policy nat, and it seems from your description there is overlapping networks.
To be clear where is 192.168.12.91 host? is it on the inside or DMZ, is important becuase policy nat needs to be correct in terms of where will
it policy nat against
the address you use to nat 192.168.12.91 does not necessarily have to be a 172.29.x.x address,
it could be any other address as long it does not overlap on the other end.
You don't have to create a new acl, use the same u are using for that l2l tunnel, you can use your currect ant exempt access list inside_outbound_nat0_acl which maps to your crypto acl
add another line in your nat exempt acl of this tunnel.
e.i
access-list inside_outbound_nat0_acl extended permit ip 172.29.x.x 255.255.255.0 10.10.1.1 255.255.255.0
access-list policy-nat extended permit ip 192.168.12.91 255.255.255.0 10.10.1.1 255.255.255.0
static (interface_where_192.168.12.91_resides,outside) 172.29.x.x access-list policy-nat
Always..always backup your configuration in text format.
could you post the config to get a picture of your l2l cls.
Regards
12-21-2008 11:06 AM
Hi, the 192.168.12.91 host is on my LAN (inside). This VPN to this external company has the 172.29.x.x/16 subnet allowed only through this SA's, so I thought it I NAT the 192.168.12.91 IP to that range there is less to configure on the phase 2 IPSec that is working.
This is what I found:
access-list outside_2_cryptomap extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0
access-list outside_access_in extended permit icmp object-group 10.10.1.0 object-group 172.29.0.0 echo-reply
access-list inside_outbound_nat0_acl extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0
access-list DMZ_access_in extended permit icmp object-group 172.29.0.0 object-group 10.10.1.0 echo-reply
12-21-2008 11:59 AM
so you are already using 172.29.0.0/16 to nat any inside hosts using this 172.29.0.0 network..
not to get confused please post the complete config to see the flow of your nat exempt and global statement .. before suggesting fruther.
12-21-2008 12:17 PM
Hi, I will need to spend some time editing my config for security reasons, but will do, unless you can state the sections you need.
For my understanding you say I am using 172.29.0.0/16 to nat any inside address, what part of the config does that? This NAT exempt rule access-list inside_outbound_nat0_acl extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: