Policy NAT thru VPN

Unanswered Question
Oct 7th, 2009

Hi all,


I have a ASA with these settings:

Internal Network: 192.168.1.0 /24

External Interface: AA.183.142.222


Our vendor has an ASA with these settings:

Internal Network: 192.168.50.0 /24

External Interface BB.179.80.108


We wish to create a L2L VPN with our vendor. They require us that when our Internal traffic goes thru the VPN tunnel, that it must be translated to 10.1.0.8/32. So in other words, traffic sourcing from OUR internal network that is destined to the vendor internal network must seem to them like it's coming from 10.1.0.8/32.


A simple diagram would be like so:

192.168.1.0/24---->translate to 10.1.0.8 only for this VPN tunnel---->192.168.50.0/24 (vendor int. network)


Below is how I think I should configure my ASA. Any suggestions would be appreciated.


interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address AA.183.142.222 255.255.255.224

!

access-list E-MD extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 5 10.1.0.8 netmask 255.255.255.255

nat (inside) 5 access-list policy-nat

!

crypto map outside_map 20 match address E-MD

crypto map outside_map 20 set peer BB.179.80.108

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

!

tunnel-group BB.179.80.108 type ipsec-l2l

tunnel-group BB.179.80.108 ipsec-attributes

pre-shared-key XXXXXXXx



Thanks,

SM

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

You config is almost there - now you need to not 're-nat' the VPN traffic after you have already policy natt'd it, add:-


nat (inside) 0 access-list E-MD


This will not nat the traffic from 10.1.0.8 to 192.168.50.0/24 as it enters the VPN tunnel.


Remove:-


global (outside) 5 10.1.0.8 netmask 255.255.255.255


This is not required.


HTH>

atpham Thu, 10/08/2009 - 08:36

I used ASDM to create it. You can convert to fit your ACL names.


access-list inside_nat0_outbound extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 5 10.1.0.8 netmask 255.255.255.255

nat (inside) 5 access-list inside_nat_outbound


crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer BB.xx.xx.xx

crypto map outside_map 2 set transform-set ESP-3DES-MD5


Actions

This Discussion