Can I use the public peer address as a PAT or NAT address also?

Answered Question
Feb 4th, 2010

Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs?  The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)


I have four hosts that need to access a device at the remote location via an IPSec tunnel.  They are:


local hosts:

192.168.2.10, 11, 12, 13


Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52


remote host:

168.12.10.6


thanks for any help.

Correct Answer by Jon Marshall about 7 years 3 weeks ago

jkeeffe wrote:


Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs?  The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)


I have four hosts that need to access a device at the remote location via an IPSec tunnel.  They are:


local hosts:

192.168.2.10, 11, 12, 13


Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52


remote host:

168.12.10.6


thanks for any help.


Yes you can do this.


object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..


access-list VPN permit ip object-group localhosts host 168.12.10.6


nat (inside) 1 access-list VPN

global (outside) 1 interface


crypto-map access-list would then look like this -


access-list VPNTRAFFIC permit ip host 205.188.15.34  host 168.12.10.6


One thing to note. The NAT example above is policy NAT ie. if the source is 192.168.2.10 -> 13 and the destination is 168.12.10.6 then NAT the source to the public IP 205.188.15.34. However you may already have something like this in your config -


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


ie. you are natting all your private addresses to the public interface address for general internet access. If you do have this then there is no need to do policy NAT and you could miss out these lines as the source addresses will be Natted anyway -


object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..


access-list VPN permit ip object-group localhosts host 168.12.10.6


nat (inside) 1 access-list VPN

global (outside) 1 interface


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 02/04/2010 - 08:30

jkeeffe wrote:


Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs?  The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)


I have four hosts that need to access a device at the remote location via an IPSec tunnel.  They are:


local hosts:

192.168.2.10, 11, 12, 13


Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52


remote host:

168.12.10.6


thanks for any help.


Yes you can do this.


object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..


access-list VPN permit ip object-group localhosts host 168.12.10.6


nat (inside) 1 access-list VPN

global (outside) 1 interface


crypto-map access-list would then look like this -


access-list VPNTRAFFIC permit ip host 205.188.15.34  host 168.12.10.6


One thing to note. The NAT example above is policy NAT ie. if the source is 192.168.2.10 -> 13 and the destination is 168.12.10.6 then NAT the source to the public IP 205.188.15.34. However you may already have something like this in your config -


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


ie. you are natting all your private addresses to the public interface address for general internet access. If you do have this then there is no need to do policy NAT and you could miss out these lines as the source addresses will be Natted anyway -


object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..


access-list VPN permit ip object-group localhosts host 168.12.10.6


nat (inside) 1 access-list VPN

global (outside) 1 interface


Jon

jkeeffe Thu, 02/04/2010 - 09:06

I have one other VPN connection through this ASA. Will your example plug right into what is already there?  Here is the other VPN config:


crypto isakmp identity address

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
exit

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
sysopt connection permit-ipsec


tunnel-group 218.151.3.111 type ipsec-l2l
tunnel-group 218.151.3.111 ipsec-attributes
pre-shared-key xxxxxxxxx

isakmp keepalive disable
exit


access-list IMAGE extended permit ip host 10.12.203.3 160.14.0.0 255.255.0.0


access-list NAT1 extended permit ip host 192.168.2.10 160.14.0.0 255.255.0.0
static (inside,outside) 10.12.203.3 access-list NAT1 0 0


crypto map outside1_map 20 match address IMAGE crypto map outside1_map 20 set peer 218.151.3.111
crypto map outside1_map 20 set transform-set ESP-3DES-MD5
crypto map outside1_map 20 set security-association lifetime seconds 3600

Jon Marshall Thu, 02/04/2010 - 09:19

jkeeffe wrote:


I have one other VPN connection through this ASA. Will your example plug right into what is already there?  Here is the other VPN config:


crypto isakmp identity address

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
exit

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
sysopt connection permit-ipsec


tunnel-group 218.151.3.111 type ipsec-l2l
tunnel-group 218.151.3.111 ipsec-attributes
pre-shared-key xxxxxxxxx

isakmp keepalive disable
exit


access-list IMAGE extended permit ip host 10.12.203.3 160.14.0.0 255.255.0.0


access-list NAT1 extended permit ip host 192.168.2.10 160.14.0.0 255.255.0.0
static (inside,outside) 10.12.203.3 access-list NAT1 0 0


crypto map outside1_map 20 match address IMAGE crypto map outside1_map 20 set peer 218.151.3.111
crypto map outside1_map 20 set transform-set ESP-3DES-MD5
crypto map outside1_map 20 set security-association lifetime seconds 3600


The 2 should not conflict with each other as each has a separate crypto map access-list so you should be okay.


Jon

Actions

This Discussion