How to Setup Policy-Based NAT for Partner S2S VPN

Answered Question
Feb 22nd, 2012

Hello,

I have been asked to setup a IPSec site-to-site VPN with a company partner.  They require that we NAT our internal hosts to a different network before sending across the tunnel.  These same internal hosts need regular Internet access.  I only want to NAT to a global address if the destination matches certain hosts or subnets.  Otherwise, the address should be sent to regular outbound NAT overload.

Have the following networks needing "conditional" NAT:

172.16.4.0/24

172.16.7.0/24

Remote networks on the partner side are:

10.0.60.0/24

10.0.72.0/24

They've asked that we NAT our hosts to 10.29.96.x.  They will then apply inbound filtering on 10.29.96.x.

Can anybody provide with the needed access list(s) and NAT statement(s) for my side?

This is a Cisco ASA 5520 to Cisco ASA 5520 IPSec tunnel...

Thanks to everyone in advance!!

Ben Warner

I have this problem too.
0 votes
Correct Answer by Matt Lang about 2 years 1 month ago

Ben,

Here's how I would go about it.  For argument's sake, let's say the partner is called Acme.

object-group network ACME-REMOTE

network 10.0.60.0 255.255.255.0

network 10.0.72.0 255.255.255.0

object-group network ACME-LOCAL

network 172.16.4.0 255.255.255.0

network 172.16.7.0 255.255.255.0

access-list ACME-L2L-PNAT permit ip object-group ACME-LOCAL object-group ACME-REMOTE

nat (inside) 50 access-list ACME-L2L-PNAT

global (outside) 50 10.29.96.1

This configuration will translate the traffic coming from your two internal subnets to 10.29.96.1 only when going to their two subnets.

Matt

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Matt Lang Wed, 02/22/2012 - 20:14

Ben,

Here's how I would go about it.  For argument's sake, let's say the partner is called Acme.

object-group network ACME-REMOTE

network 10.0.60.0 255.255.255.0

network 10.0.72.0 255.255.255.0

object-group network ACME-LOCAL

network 172.16.4.0 255.255.255.0

network 172.16.7.0 255.255.255.0

access-list ACME-L2L-PNAT permit ip object-group ACME-LOCAL object-group ACME-REMOTE

nat (inside) 50 access-list ACME-L2L-PNAT

global (outside) 50 10.29.96.1

This configuration will translate the traffic coming from your two internal subnets to 10.29.96.1 only when going to their two subnets.

Matt

Actions

Login or Register to take actions

This Discussion

Posted February 22, 2012 at 5:48 PM
Stats:
Replies:2 Avg. Rating:5
Views:720 Votes:0
Shares:0
Tags: vpn, nat, pat, asa_5520
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446