Static NAT for a VPN client on ASA5510

Unanswered Question
Nov 17th, 2010
User Badges:

Hi,


I have the following situation. I set up the IPSec l2l tunnel to ASA5510 with static IP and running 8.3(1) where the remote site (Peer) has dynamic IP.

I need to create a static NAT for a server which is sitting at the peer's side, i.e. behind the VPN. Tunnel is working just fine, nets can ping each other and now I need to make the host at the Peer's side to be accessible from the Internet at a particular IP address, via VPN tunnel. Is it possible?

ASA has routable IP address.


Any help is highly appreciated,

Thank you!


Below is config of ASA, some configuration has been omitted:

Drawing1.png


!
interface Ethernet0/0
nameif outside
security-level 0
ip address  171.83.220.235 255.255.255.224
!

!

same-security-traffic permit intra-interface

!

object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0

!

!

object network Inside_srv
host 192.168.1.104
!

!

access-list OUTSIDE_IN extended permit ip any object Inside_srv

object network Inside_srv
nat (outside,outside) static 171.83.220.234

!

!

access-group OUTSIDE_IN in interface outside

!

!

crypto ipsec transform-set PEER_SET esp-aes esp-sha-hmac

crypto dynamic-map PEER_MAP 1 set transform-set PEER_SET

crypto map DYN_MAP 10 ipsec-isakmp dynamic PEER_MAP
crypto map DYN_MAP interface outside
crypto isakmp enable outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Wed, 11/17/2010 - 08:33
User Badges:
  • Cisco Employee,

Hi Sergey,


This is possible and should work. One thing you need to take care of the Phase 2 ACL on the remote end. Ensure you have the following crypto ACL entry in the VPN traffic defined:


192.168.1.104 ------> any


Basically, you want anyone from internet to be able to access the server from the internet and hence you need this traffic identifier for the VPN on the remote end. on the ASA, we do not need any changes to the VPN config. Your ACL and NAT look fine. It should be working as long you have the above change on the remote end. What is the remote device?


Let me know if this helps!!


Thanks and Regards,

Prapanch

praprama Fri, 11/19/2010 - 20:36
User Badges:
  • Cisco Employee,

Hi Sergey,


Just wondering if you have managed to try the above out and if it worked. If so, please mark this one as Answered.


Cheers,

Prapanch

Actions

This Discussion