08-26-2010 11:52 AM - edited 03-11-2019 11:31 AM
Hello, I am having some issues with adding a policy-nat for a L2L vpn in order to nat all the private address sent across the tunnel to single address (9.43.121.7).
When i try to add the statement:
static (inside,outside) 9.43.131.7 access-list vpn-policy-nat
I get the error:
"ERROR: access-list used in static has different local addresses"
I do want address 11.0.10.150 to send across as the real address, and is working.
Relavent config below:
access-list vpn_map extended permit ip host 9.43.131.7 host 104.9.57.148
access-list vpn_map extended permit ip host 11.0.10.150 host 104.9.57.179
access-list inside_nat0_outbound extended permit ip host 11.0.10.150 host 104.9.57.179
access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 138.1.0.0 255.255.0.0
nat (inside) 1 11.0.0.0 255.0.0.0
crypto map vpn_map 10 match address vpn_map
Any ideas would be greatly appreciated? I am running version 7.2.5 on the ASA 5510
Thanks
08-26-2010 12:24 PM
Hello,
You are actually doing PAT for the VPN that's not going to work.. What is the firewall going to do when it receives a packets destinated to 9.43.131.7 ??
You have several IP sources in the ACL
access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148
There is a configuration example right here:
Check the difference with your config
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0
|
In this example we are matching a 24 bit network goint to a 24 network.. it will be natted to a 24 network as well. 172.18.1.0
Hope It helps.
08-26-2010 01:20 PM
Thanks for the replay,
figured it out.
Added:
nat (inside) 11 access-list vpn-policy-nat
global (outside) 11 9.43.131.7
instead of the static (inside,outside) and it works. I only needed the vpn to go one way (outbound).
Thank you very much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide