Setting Up PAT for VPN

Unanswered Question
Jan 7th, 2010

I need to setup a PAT rule on an ASA 5520 for an ipsec site-to-site vpn.  I checked a cisco reference and found the following script might work, can anyone tell me if this is the correct command syntax/setup?

ciscoasa# access-list VPN_PAT-1 permit ip 10.20.20.0 255.255.255.0 69.77.199.100 255.255.255.224

ciscoasa#  global (outside) 5 172.31.150.145 netmask 255.255.255.255

ciscoasa# nat (inside) 5 access-list VPN_PAT-1 255.255.255.0

ciscoasa# wr mem

Thanks,

g -

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/07/2010 - 13:20

g.harper wrote:

I need to setup a PAT rule on an ASA 5520 for an ipsec site-to-site vpn.  I checked a cisco reference and found the following script might work, can anyone tell me if this is the correct command syntax/setup?

ciscoasa# access-list VPN_PAT-1 permit ip 10.20.20.0 255.255.255.0 69.77.199.100 255.255.255.224

ciscoasa#  global (outside) 5 172.31.150.145 netmask 255.255.255.255

ciscoasa# nat (inside) 5 access-list VPN_PAT-1 255.255.255.0

ciscoasa# wr mem

Thanks,

g -

Greg

The above will PAT all 10.20.20.x addresses to 172.31.150.145 when the traffic is going to the network 69.77.99.100 network although this is not actually the network ie. with a 255.255.255.224 subnet mask the actual network would be 69.77.199.96.

Don't forget that the crypto map will need to refer to the 172.31.150.145 address and not the original 10.20.20.x addresses.

Jon

Alexandro Carra... Thu, 01/07/2010 - 13:21

you can get rid of the netmask after the acl name in the nat (inside) 5 access-list VPN_PAT-1 255.255.255.0 command and that should work ... just make sure that the interesting traffic is matching from 172.31.150.145 to 69.77.199.100 255.255.255.224

gammatel1 Thu, 01/07/2010 - 13:34

Correct syntax...

ciscoasa# access-list VPN_PAT-1 permit ip 10.20.20.0 255.255.255.0 69.77.199.100 255.255.255.224

ciscoasa#  global (outside) 5 172.31.150.145

ciscoasa# nat (inside) 5 access-list VPN_PAT-1

ciscoasa# wr mem

remember your VPN ACL will be written using the 172.31.150.145 as the source address and 66.77.199.100 255.255.255.224 as the destination network ie:

access-list vpn-1 extended permit ip host 172.31.150.145 66.77.199.100 255.255.255.224

Sometimes it's easy to forget that the source IP is the IP being used for NAT/PAT.

Alex

GREG HARPER Fri, 01/08/2010 - 07:34

Thanks to the three of you for responding to my PAT question.  This will be a big help and I really appreciate it!

g -

ahmad82pkn Fri, 02/17/2012 - 16:44

Hi, All i have simillar issue, so might be someone able to help?

i am doing Just like above.

but my same ASA is serving as Global NAT point for my company internet like this.

nat (INSIDE) 1 access-list NAT

global (OUTSIDE) 1 44.4.4.4

access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any

so my VPN traffic is also getting PAT to above OUTSIDE IP. instead of getting PAT to my VPN Source lets say 172.31.150.145 since its on Sequence number 5.

ciscoasa#  global (outside) 5 172.31.150.145

ciscoasa# nat (inside) 5 access-list VPN_PAT-1

one option is to take my company NAT and Global statement on some higher sequence lets say SEQ 10,  what other options i have?

GREG HARPER Mon, 02/20/2012 - 06:50

I would say either exclude that IP address from the global company PAT statement or like you said change the sequence number. However, I would advise you call in a TAC case on this one to be sure, this is not something you want to get wrong.

glh

Actions

This Discussion