ASA 5520 IPSec NAT question

Answered Question
Jul 10th, 2012

I have like over 150 VPN's on my ASA 5520.  One specific customer I am setting up a VPN with has an overlap with two of the IP's he needs to reach from his internal network.  He is NATing his internal network to 10.251.11.177 so traffic getting to my ASA is presenting itself as 10.251.11.177 from the 10.251.11.176/29 network.  Now the two IP's from his internal network he needs to reach are 10.1.254.200 and 10.1.254.201.

So following some documentation on Cisco website I am trying to do Policy Based Routing on the ASA 5520 (my end) so that his traffic goes to 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201.  Once it reaches my ASA 5520 it gets tranlated back to those IP's.

I'm trying to use the following configuration but when I try to add the static entries it won't let me add them.  I even tried "static (outside,inside) 1.1.1.1 access-list POLICYNAT" with the ACL in reverse but no use.

object-group network VPN-MAP

network-object host 1.1.1.1

network-object host 1.1.1.2

!

access-list POLICYNAT extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT

static (inside,outside) 1.1.1.2 access-list POLICYNAT

I have this problem too.
0 votes
Correct Answer by shijogeorge about 1 year 9 months ago

Try splitting the IPs into two ACLs

access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT1

static (inside,outside) 1.1.1.2 access-list POLICYNAT2

HTH

Shijo George

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
shijogeorge Wed, 07/11/2012 - 04:19

Try splitting the IPs into two ACLs

access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT1

static (inside,outside) 1.1.1.2 access-list POLICYNAT2

HTH

Shijo George

mali1977us Wed, 07/11/2012 - 12:56

Thank you for the reply, when I do that ASA accepts the Static commands but when I look at the config I don't see those commands there at all.

mali1977us Sun, 07/15/2012 - 13:27

Sorry there was an issue with a typo that worked it needed to be split .  Thank you so much.

Actions

Login or Register to take actions

This Discussion

Posted July 10, 2012 at 3:32 PM
Stats:
Replies:3 Avg. Rating:5
Views:554 Votes:0
Shares:0
Tags: ipsec, nat, asa, asa_5520, 5520
+
Categories: ASA
+

Related Content

Discussions Leaderboard