01-07-2010 01:13 PM
I need to setup a PAT rule on an ASA 5520 for an ipsec site-to-site vpn. I checked a cisco reference and found the following script might work, can anyone tell me if this is the correct command syntax/setup?
ciscoasa# access-list VPN_PAT-1 permit ip 10.20.20.0 255.255.255.0 69.77.199.100 255.255.255.224
ciscoasa# global (outside) 5 172.31.150.145 netmask 255.255.255.255
ciscoasa# nat (inside) 5 access-list VPN_PAT-1 255.255.255.0
ciscoasa# wr mem
Thanks,
g -
01-07-2010 01:20 PM
g.harper wrote:
I need to setup a PAT rule on an ASA 5520 for an ipsec site-to-site vpn. I checked a cisco reference and found the following script might work, can anyone tell me if this is the correct command syntax/setup?
ciscoasa# access-list VPN_PAT-1 permit ip 10.20.20.0 255.255.255.0 69.77.199.100 255.255.255.224
ciscoasa# global (outside) 5 172.31.150.145 netmask 255.255.255.255
ciscoasa# nat (inside) 5 access-list VPN_PAT-1 255.255.255.0
ciscoasa# wr mem
Thanks,
g -
Greg
The above will PAT all 10.20.20.x addresses to 172.31.150.145 when the traffic is going to the network 69.77.99.100 network although this is not actually the network ie. with a 255.255.255.224 subnet mask the actual network would be 69.77.199.96.
Don't forget that the crypto map will need to refer to the 172.31.150.145 address and not the original 10.20.20.x addresses.
Jon
01-07-2010 01:21 PM
you can get rid of the netmask after the acl name in the nat (inside) 5 access-list VPN_PAT-1 255.255.255.0 command and that should work ... just make sure that the interesting traffic is matching from 172.31.150.145 to 69.77.199.100 255.255.255.224
01-07-2010 01:34 PM
Correct syntax...
ciscoasa# access-list VPN_PAT-1 permit ip 10.20.20.0 255.255.255.0 69.77.199.100 255.255.255.224
ciscoasa# global (outside) 5 172.31.150.145
ciscoasa# nat (inside) 5 access-list VPN_PAT-1
ciscoasa# wr mem
remember your VPN ACL will be written using the 172.31.150.145 as the source address and 66.77.199.100 255.255.255.224 as the destination network ie:
access-list vpn-1 extended permit ip host 172.31.150.145 66.77.199.100 255.255.255.224
Sometimes it's easy to forget that the source IP is the IP being used for NAT/PAT.
Alex
01-08-2010 07:34 AM
Thanks to the three of you for responding to my PAT question. This will be a big help and I really appreciate it!
g -
02-17-2012 04:44 PM
Hi, All i have simillar issue, so might be someone able to help?
i am doing Just like above.
but my same ASA is serving as Global NAT point for my company internet like this.
nat (INSIDE) 1 access-list NAT
global (OUTSIDE) 1 44.4.4.4
access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any
so my VPN traffic is also getting PAT to above OUTSIDE IP. instead of getting PAT to my VPN Source lets say 172.31.150.145 since its on Sequence number 5.
ciscoasa# global (outside) 5 172.31.150.145
ciscoasa# nat (inside) 5 access-list VPN_PAT-1
one option is to take my company NAT and Global statement on some higher sequence lets say SEQ 10, what other options i have?
02-20-2012 06:50 AM
I would say either exclude that IP address from the global company PAT statement or like you said change the sequence number. However, I would advise you call in a TAC case on this one to be sure, this is not something you want to get wrong.
glh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide