Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
1
Replies

L2L Policy NAT but maiking it use PAT

clark.d
Level 1
Level 1

‎07-09-2010 04:32 PM

The Following config will do Policy NAT on a L2L tunnel, but I want to

PAT from one IP. So for Example instead of NATing 172.16.5.0, I want to PAT 172.16.5.10 for all inside clients before crossing tunnel. Can this be done?? How? I tried setting the static to 172.16.5.10 but get errors about overlapping global........

In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 10.10.1.0/24. 

  • Create an access-list for Policy NAT with real source and a destination IP address.

access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 host 172.16.1.1
access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 1.1.1.0 255.255.255.0

  • Create a static command that states that when source is 10.10.1.0 and destination is 172.16.1.1 or 1.1.1.0, change it to 172.16.5.0

static (inside,outside) 172.16.5.0 access-list POLICYNAT

  • Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example, 172.16.5.0.

access-list VPN extended permit ip 172.16.5.0 255.255.255.0 host 172.16.1.1
access-list VPN extended permit ip 172.16.5.0 255.255.255.0 1.1.1.0 255.255.255.0

  • Apply the crypto access-list to crypto map.
       

crypto map VPN 10 match address VPN

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-09-2010 05:35 PM

Please kindly be advised that with PAT, the traffic can only be initiated from the PAT end of the L2L tunnel, not the other way round since PAT is dynamic.

Here is what can be configured:

- As per your example, local subnet is 10.10.10.0/24, remote subnet is 1.1.1.0/24, and you would like to PAT the 10.10.10.0/24 subnet to 172.16.5.10.

I will also use the same ACL: POLICYNAT:

nat (inside) 5 access-list  POLICYNAT

global (outside) 5 172.16.5.10

Crypto ACL will then be "permit ip host 172.16.5.10 1.1.1.0 255.255.255.0", and "permit ip host 172.16.5.10 host 172.16.1.1", with mirror image ACL on the other side of the L2L tunnel.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents