×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5510 L2L with NAT

Unanswered Question
Feb 19th, 2010
User Badges:

Hello all,



I am trying to setup an L2L VPN with our client which is pretty straight forward.  However, the requirements of the client require us to NAT our private subnet to a public subnet provided by our ISP.  We have obtained 30 public IP's from our ISP with the first being assigned to our outside interface.  What I need to be able to do is user PAT for internet traffic, and a Pool of the remaining IP's to NAT over the tunnel.  At this point I have not configured any portion of the VPN and am hoping to find a document or someone with the expertise that can explain to perform this NAT.


I thank you in advance for any help which you can provide!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Todd Pula Fri, 02/19/2010 - 09:24
User Badges:
  • Silver, 250 points or more

The doc below covers one approach to configuring this requirement.  A few points to remember.  When using hide NAT for the L2L tunnel, the crypto ACL will be configured using the post-NAT source IP address.  Whether using policy NAT or NAT0, the NAT exemption ACL will be based on the original source IP.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

sabinj Wed, 02/24/2010 - 08:37
User Badges:

The NAT is messed up on this...


when I do a sho xlate I'm showing the following


Global 10.10.10.0 local 1.1.1.0


it is not mapping my workstation ip of 1.1.1.1 to 10.10.10.10


Does this mean that it is trying to send the my data over the tunnel with an ip of 10.10.10.0?

busterswt Fri, 02/26/2010 - 18:53
User Badges:
  • Bronze, 100 points or more


From what I'm seeing, that doesn't appear to be your entire config there. From what I see though, it looks like you've enabled static identity policy NAT with a 1-to-1 translation.


If you're seeing this in the xlate:


Global 10.10.10.0 local 1.1.1.0


... then the next logical xlate would be Global 10.10.10.1 local 1.1.1.1, Global 10.10.10.2 local 1.1.1.2, ...., Global 10.10.10.102 local 1.1.1.102, etc.


If you're wanting to ensure 1.1.1.1 is mapped to 10.10.10.10, then you should be able to add the following:


access-list policy-nat2 extended permit ip host 1.1.1.1  x.x.x.107 255.255.255.255 (duplicate this new ACL for the other remote networks)

static (inside,outside) 10.10.10.10 access-list policy-nat2


Never tried it, so I hope it works!


James

sabinj Wed, 02/24/2010 - 06:40
User Badges:

Thanks for the quick reply this document is exactly what I was looking for!!  However I do have one question...


On the static statement: static (inside,outside) 10.10.10.0 access-list policy-nat; I need to make sure I am clear.  This is going to use the policy-nat access list and the range specified in the access-list, not the entrire subnet correct?  I ask because my range and mask are 10.10.10.96 255.255.255.224 giving me 30 addresses.


Here is my config, please let me know if you see anything wrong.


access-list policy-nat extended permit ip x.x.5.0 255.255.255.0  x.x.x.107 255.255.255.255
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0  x.x.x.11 255.255.255.255
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.139.0 255.255.255.0
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.52.0 255.255.255.0


access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.x.107 255.255.255.255
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.x.11 255.255.255.255
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.139.0 255.255.255.0
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.52.0 255.255.255.0


static (inside,outside) x.x.196.0 access-list policy-nat


crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto map outsidedsl_map 20 match address spinco
crypto map outsidedsl_map 20 set peer x.x.x.140
crypto map outsidedsl_map 20 set transform-set esp-3des-sha
crypto map outsidedsl_map 20 set pfs group1
crypto map outsidedsl_map interface outsidedsl


isakmp identity address
isakmp enable outsidedsl
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption esp-3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400


isakmp Policy 65535 authentication pre-share
isakmp Policy 65535 encryption 3des
isakmp Policy 65535 hash sha
isakmp Policy 65535 group 2
isakmp Policy 65535 lifetime 86400


tunnel-group x.x.x.140 type ipsec-l2l


tunnel-group x.x.x.140 ipsec-attributes
pre-shared-key *

Actions

This Discussion

Related Content