05-25-2010 01:26 PM
We are configuring a remote site with an ASA 5580 at each site. Our IP segment for the server [which they are to have access to] uses the same segment for other services within their organization. Our server is one of the core servers which our physicians access remotely to read cases. Our segment is also used with all of the remote sites which we are communicating with. I want to be able to NAT for this particular server only for this site-to-site VPN tunnel and not for the entire network segment.I want to perform this without breaking our segment.
Please advise.
05-25-2010 01:29 PM
Hi,
In order to NAT just specific traffic through one tunnel, you should use Policy NAT.
Let us know if you can share more details to help you out.
Federico.
05-25-2010 01:38 PM
then i would require 2 commands in order to make this work, such as; access-list policy-nat extended permit ip (inside IP) 255.255.255.0 x.x.x.x (remote IP) 255.255.255.0
then static (inside,outside) remote IP address access-list policy-nat
what else do you require as far as information?
05-25-2010 01:45 PM
Actually that's what you need.
Since the ASA has an order in the NAT checking, make sure there's no NAT exemption or static NATs for those IPs, so that the Policy NAT will work.
Federico.
05-25-2010 02:14 PM
there is a nat exemption for outbound traffic on this particular interface.
05-25-2010 02:33 PM
The nat exemption in the outbound direction won't matter unless it specifically overlaps.
For example say your L2L is between 192.168.1.0 (local) and 192.168.2.0 (remote)....
Policy NAT:
access-list policynat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 1 access-list policynat
global (outside) 1 4.4.4.4
Nat exemption that would break this policy NAT
access-list nonat permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 0 access-list nonat
*destination is any so that matches our remote 192.168.2.0 255.255.255.0 and would take priority because its nat exemption
Nat exemption which would have no effect on this traffic:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list nonat
*destination is 192.168.3.0 so that does not match our remote 192.168.2.0 255.255.255.0 and this nat exemption would have no effect on our policy nat
Hope this helps clear things up,
-heather
05-25-2010 04:12 PM
P.S. If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!
05-26-2010 09:48 AM
I have run into the same problem with another site and am trying to have them test a tunnel while utilizing the nat policy commands.
I will let you know what actually worked as soon as I can get the second company to commit to establishing a tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide