10-23-2009 04:15 AM - edited 03-11-2019 09:30 AM
Hello
I want to setup a L2L-tunnel to a third party. Because of their and our requirements I want to do NAT of both our addresses and theirs in our end. Is that possible?
I'll explain further in attached topology. I have local clients addressed 172.30.30.81-94 that needs to access equipment in the remote end with real IP:s 10.5.10.11-15. However, I want to access these 5 IP:s by addressing them 192.168.7.10,11,20,21,22. Also, my source traffic shouldnt be visible to remote end, I want them to see me as 10.250.192.193-206.
I am trying to do setups like these:
objects:
object-group network VPN-COMPANY_localip_real
network-object 172.30.30.80 255.255.255.240
object-group network VPN-COMPANY_localip_nat
network-object 10.250.192.192 255.255.255.240
object-group network VPN-COMPANY_remoteip_real
network-object host 10.5.10.11
network-object host 10.5.10.12
network-object host 10.5.10.13
network-object host 10.5.10.14
network-object host 10.5.10.15
object-group network VPN-COMPANY_remoteip_nat
network-object host 192.168.7.10
network-object host 192.168.7.11
network-object host 192.168.7.20
network-object host 192.168.7.21
network-object host 192.168.7.22
One per source address:
access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat
access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_real
static (Inside,Internet) 10.250.192.193 access-list VPN-COMPANY_static_193
access-list VPN-COMPANY_static_194 extended permit ip host 172.30.30.82 object-group VPN-COMPANY_remoteip_nat
access-list VPN-COMPANY_static_194 extended permit ip host 172.30.30.82 object-group VPN-COMPANY_remoteip_real
static (Inside,Internet) 10.250.192.194 access-list VPN-COMPANY_static_194
..
..
..
and one for each destination ip:
access-list VPN-COMPANY_static_11 extended permit ip object-group VPN-COMPANY_localip_nat host 192.168.7.10
access-list VPN-COMPANY_static_11 extended permit ip object-group VPN-COMPANY_localip_real host 192.168.7.10
static (Inside,Internet) 10.5.10.11 access-list VPN-COMPANY_static_11
access-list VPN-COMPANY_static_12 extended permit ip object-group VPN-COMPANY_localip_nat host 192.168.7.11
access-list VPN-COMPANY_static_12 extended permit ip object-group VPN-COMPANY_localip_real host 192.168.7.11
static (Inside,Internet) 10.5.10.12 access-list VPN-COMPANY_static_12
..
..
..
but, when entering thise statics for 10.5.10.x i get this error message:
ERROR: access-list used in static has different local addresses
What am I doing wrong? Is this possible to do in ASA 8.x?
Also, as you see my policy nat acl:s are twice as big as they should be. That's because I am not fully sure about which ip:s to use, the real or the natted?
10-23-2009 06:24 AM
Yes this is possible - but even your config confuses me!!
Try writing the ACL's withour using objects and use specific host IP's.
This will help with the troubleshooting.
HTH>
10-23-2009 11:29 AM
Jimmy
Firstly you will need some static (internet,inside) statements.
Try this config -
These static statements allow your inside devices to send traffic to 192.168.7.x addresses which will then get translated t 10.5.0.x addresses on your firewall
access-list VPN-COMPANY_static_193
static (internet,outside) 192.168.7.10 10.0.5.11 netmask 255.255.255.255
static (internet,outside) 192.168.7.11 10.0.5.12 netmask 255.255.255.255
static (internet,outside) 192.168.7.20 10.0.5.13 netmask 255.255.255.255
static (internet,outside) 192.168.7.21 10.0.5.14 netmask 255.255.255.255
static (internet,outside) 192.168.7.22 10.0.5.15 netmask 255.255.255.255
You need to use the Natted IP's in your acl ie. from your above example -
access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat
static (inside,internet) 10.250.192.193 access-list VPN-COMPANY_static_193
and you do this for each source IP.
As for your access-list and statics for the destination address, you don't need them because they have already been taken care of with the first static statements in my post.
Note - that because you are translating 192.168.7.x to 10.0.5.x addressing i'm assuming you don't need to do conditional NAT as you have to do with your source addressing because nothing will try to get 192.168.7.x unless it is via the VPN tunnel.
If i have assumed wrongly you will need to modify the first set of static statements with acls.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide