Policy-Nat for VPN L2L (ASA 5510)

Unanswered Question

Hello, I am having some issues with adding a policy-nat for a L2L vpn in order to nat all the private address sent across the tunnel to single address (9.43.121.7).



When i try to add the statement:


static (inside,outside) 9.43.131.7 access-list vpn-policy-nat


I get the error:


"ERROR: access-list used in static has different local addresses"


I do want address 11.0.10.150 to send across as the real address, and is working.


Relavent config below:


access-list vpn_map extended permit ip host 9.43.131.7 host 104.9.57.148
access-list vpn_map extended permit ip host 11.0.10.150 host 104.9.57.179

access-list inside_nat0_outbound extended permit ip host 11.0.10.150 host 104.9.57.179
access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat  extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 138.1.0.0 255.255.0.0
nat (inside) 1 11.0.0.0 255.0.0.0


crypto map vpn_map 10 match address vpn_map


Any ideas would be greatly appreciated? I am running version 7.2.5 on the ASA 5510


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Thu, 08/26/2010 - 12:24
User Badges:
  • Bronze, 100 points or more

Hello,


You are actually doing PAT for the VPN that's not going to work.. What is the firewall going to do when it receives a packets destinated to  9.43.131.7 ??


You have several IP sources in the ACL


access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat  extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148


There is a configuration example right here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml



Check the difference with your config


access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.18.1.0  access-list policy-nat



In this example we are matching a 24 bit network goint to a 24 network.. it will be natted to a 24 network as well. 172.18.1.0


Hope It helps.

Actions

This Discussion