03-04-2010 05:03 AM - edited 03-06-2019 09:59 AM
Hello
I have a router connected to my cisco ASA for which there is a site to site tunnel established, Can anyone tell me what I would do on the router to nat all addresses coming from the router to the ASA from a single address? like PAT but through the tunnel
cheers
Carl
03-04-2010 01:23 PM
Hi,
You would need to create the NAT configuration for PAT, and then specify that the interesting traffic is from the PAT address to the other's site subnet.
The only difference is to specify the VPN traffic to the PAT address, instead of specifying the interesting traffic to the real subnet.
Another note, is that if you do it like this, you can only initiate the tunnel from the router's side.
Translation always happens before encryption.\
Federico.
03-05-2010 01:18 AM
Hi There
I understand what you are saying, but could you please give me an example of what you would do here? would you just do something like
ip nat inside source list 1 pool xx overload
then would i referenc the pool in the crypto map?
cheers
Carl
03-06-2010 01:32 PM
To PAT inside the tunnel, you create the NAT configuration as usual:
ip nat inside source route-map NAT interface OUTSIDE0/0 overload
route-map NAT
match ip address 199
set ip next-hop x.x.x.x --> default gateway or path through the tunnel
access-list 199 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
What you're doing with the above configuration is to PAT traffic from 10.x.x.x to 192.168.1.x (assuming the 10.x.x.x is the network behind the router and 192.168.1.x is the network behind the ASA)
Then, you specify the interesting traffic (VPN traffic) to be from the PATed address to the ASA's network:
access-list 101 permit ip host 200.1.1.1 192.168.1.0 0.0.0.255
(assuming 200.1.1.1 is the OUTSIDE0/0 address) Interface where the crypto map is applied.
Access-list 101 is the ACL applied to the crypto map.
Remember that the ACL on the ASA should be a mirror to this ACL and that the tunnel can only be initiated from the router's side.
Federico.
03-11-2010 07:34 AM
Hi There
Thanks for the reply
Can you tell me what the end point address would be through the tunnel, or the default gateway?
route-map NAT
match ip address 199
set ip next-hop x.x.x.x --> default gateway or path through the tunnel
cheers
Carl
03-11-2010 11:19 AM
x.x.x.x will be the default gateway of the Router (the next-hop to reach the ASA).
Give it a shot and let us know if the tunnel establishes.
You can use the commands:
sh ip nat trans --> To verify PAT is taking place
sh cry isa sa --> to verify phase 1
sh cry ips sa --> to verify phase 2
Federico.
03-15-2010 09:22 AM
Hi
Im still unsure, will the next hop just be my ISP internet router address then ?
03-15-2010 09:26 AM
Correct.
The IP of your ISP router, that belongs to the same subnet of your router.
In other words, your router's default gateway.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide