Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1614
Views
5
Helpful
4
Replies

ASA 5510 L2L with NAT

sabinj
Level 1
Level 1

‎02-19-2010 08:20 AM

Hello all,

I am trying to setup an L2L VPN with our client which is pretty straight forward.  However, the requirements of the client require us to NAT our private subnet to a public subnet provided by our ISP.  We have obtained 30 public IP's from our ISP with the first being assigned to our outside interface.  What I need to be able to do is user PAT for internet traffic, and a Pool of the remaining IP's to NAT over the tunnel.  At this point I have not configured any portion of the VPN and am hoping to find a document or someone with the expertise that can explain to perform this NAT.

I thank you in advance for any help which you can provide!

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Todd Pula
Level 7
Level 7

‎02-19-2010 09:24 AM

The doc below covers one approach to configuring this requirement.  A few points to remember.  When using hide NAT for the L2L tunnel, the crypto ACL will be configured using the post-NAT source IP address.  Whether using policy NAT or NAT0, the NAT exemption ACL will be based on the original source IP.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

sabinj
Level 1
Level 1
In response to Todd Pula

‎02-24-2010 06:40 AM

Thanks for the quick reply this document is exactly what I was looking for!!  However I do have one question...

On the static statement: static (inside,outside) 10.10.10.0 access-list policy-nat; I need to make sure I am clear.  This is going to use the policy-nat access list and the range specified in the access-list, not the entrire subnet correct?  I ask because my range and mask are 10.10.10.96 255.255.255.224 giving me 30 addresses.

Here is my config, please let me know if you see anything wrong.

access-list policy-nat extended permit ip x.x.5.0 255.255.255.0  x.x.x.107 255.255.255.255
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0  x.x.x.11 255.255.255.255
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.139.0 255.255.255.0
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.52.0 255.255.255.0


access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.x.107 255.255.255.255
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.x.11 255.255.255.255
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.139.0 255.255.255.0
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.52.0 255.255.255.0

static (inside,outside) x.x.196.0 access-list policy-nat


crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto map outsidedsl_map 20 match address spinco
crypto map outsidedsl_map 20 set peer x.x.x.140
crypto map outsidedsl_map 20 set transform-set esp-3des-sha
crypto map outsidedsl_map 20 set pfs group1
crypto map outsidedsl_map interface outsidedsl

isakmp identity address
isakmp enable outsidedsl
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption esp-3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

isakmp Policy 65535 authentication pre-share
isakmp Policy 65535 encryption 3des
isakmp Policy 65535 hash sha
isakmp Policy 65535 group 2
isakmp Policy 65535 lifetime 86400

tunnel-group x.x.x.140 type ipsec-l2l

tunnel-group x.x.x.140 ipsec-attributes
pre-shared-key *

0 Helpful

sabinj
Level 1
Level 1
In response to Todd Pula

‎02-24-2010 08:37 AM

The NAT is messed up on this...

when I do a sho xlate I'm showing the following

Global 10.10.10.0 local 1.1.1.0

it is not mapping my workstation ip of 1.1.1.1 to 10.10.10.10

Does this mean that it is trying to send the my data over the tunnel with an ip of 10.10.10.0?

0 Helpful

busterswt
Level 1
Level 1
In response to sabinj

‎02-26-2010 06:53 PM

From what I'm seeing, that doesn't appear to be your entire config there. From what I see though, it looks like you've enabled static identity policy NAT with a 1-to-1 translation.

If you're seeing this in the xlate:

Global 10.10.10.0 local 1.1.1.0

... then the next logical xlate would be Global 10.10.10.1 local 1.1.1.1, Global 10.10.10.2 local 1.1.1.2, ...., Global 10.10.10.102 local 1.1.1.102, etc.

If you're wanting to ensure 1.1.1.1 is mapped to 10.10.10.10, then you should be able to add the following:

access-list policy-nat2 extended permit ip host 1.1.1.1  x.x.x.107 255.255.255.255 (duplicate this new ACL for the other remote networks)

static (inside,outside) 10.10.10.10 access-list policy-nat2

Never tried it, so I hope it works!

James

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents