ASA 5510 L2L with NAT

Unanswered Question
Feb 19th, 2010

Hello all,

I am trying to setup an L2L VPN with our client which is pretty straight forward.  However, the requirements of the client require us to NAT our private subnet to a public subnet provided by our ISP.  We have obtained 30 public IP's from our ISP with the first being assigned to our outside interface.  What I need to be able to do is user PAT for internet traffic, and a Pool of the remaining IP's to NAT over the tunnel.  At this point I have not configured any portion of the VPN and am hoping to find a document or someone with the expertise that can explain to perform this NAT.

I thank you in advance for any help which you can provide!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Todd Pula Fri, 02/19/2010 - 09:24

The doc below covers one approach to configuring this requirement.  A few points to remember.  When using hide NAT for the L2L tunnel, the crypto ACL will be configured using the post-NAT source IP address.  Whether using policy NAT or NAT0, the NAT exemption ACL will be based on the original source IP.

sabinj Wed, 02/24/2010 - 08:37

The NAT is messed up on this...

when I do a sho xlate I'm showing the following

Global local

it is not mapping my workstation ip of to

Does this mean that it is trying to send the my data over the tunnel with an ip of

busterswt Fri, 02/26/2010 - 18:53

From what I'm seeing, that doesn't appear to be your entire config there. From what I see though, it looks like you've enabled static identity policy NAT with a 1-to-1 translation.

If you're seeing this in the xlate:

Global local

... then the next logical xlate would be Global local, Global local, ...., Global local, etc.

If you're wanting to ensure is mapped to, then you should be able to add the following:

access-list policy-nat2 extended permit ip host  x.x.x.107 (duplicate this new ACL for the other remote networks)

static (inside,outside) access-list policy-nat2

Never tried it, so I hope it works!


sabinj Wed, 02/24/2010 - 06:40

Thanks for the quick reply this document is exactly what I was looking for!!  However I do have one question...

On the static statement: static (inside,outside) access-list policy-nat; I need to make sure I am clear.  This is going to use the policy-nat access list and the range specified in the access-list, not the entrire subnet correct?  I ask because my range and mask are giving me 30 addresses.

Here is my config, please let me know if you see anything wrong.

access-list policy-nat extended permit ip x.x.5.0  x.x.x.107
access-list policy-nat extended permit ip x.x.5.0  x.x.x.11
access-list policy-nat extended permit ip x.x.5.0 x.x.139.0
access-list policy-nat extended permit ip x.x.5.0 x.x.52.0

access-list new extended permit ip x.x.196.0 x.x.x.107
access-list new extended permit ip x.x.196.0 x.x.x.11
access-list new extended permit ip x.x.196.0 x.x.139.0
access-list new extended permit ip x.x.196.0 x.x.52.0

static (inside,outside) x.x.196.0 access-list policy-nat

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto map outsidedsl_map 20 match address spinco
crypto map outsidedsl_map 20 set peer x.x.x.140
crypto map outsidedsl_map 20 set transform-set esp-3des-sha
crypto map outsidedsl_map 20 set pfs group1
crypto map outsidedsl_map interface outsidedsl

isakmp identity address
isakmp enable outsidedsl
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption esp-3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

isakmp Policy 65535 authentication pre-share
isakmp Policy 65535 encryption 3des
isakmp Policy 65535 hash sha
isakmp Policy 65535 group 2
isakmp Policy 65535 lifetime 86400

tunnel-group x.x.x.140 type ipsec-l2l

tunnel-group x.x.x.140 ipsec-attributes
pre-shared-key *


This Discussion

Related Content