Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
0
Helpful
3
Replies

ASA 5520 IPSec NAT question

Go to solution
ALIAOF_
Level 6
Level 6

‎07-10-2012 03:32 PM - edited ‎02-21-2020 06:11 PM

I have like over 150 VPN's on my ASA 5520.  One specific customer I am setting up a VPN with has an overlap with two of the IP's he needs to reach from his internal network.  He is NATing his internal network to 10.251.11.177 so traffic getting to my ASA is presenting itself as 10.251.11.177 from the 10.251.11.176/29 network.  Now the two IP's from his internal network he needs to reach are 10.1.254.200 and 10.1.254.201.

So following some documentation on Cisco website I am trying to do Policy Based Routing on the ASA 5520 (my end) so that his traffic goes to 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201.  Once it reaches my ASA 5520 it gets tranlated back to those IP's.

I'm trying to use the following configuration but when I try to add the static entries it won't let me add them.  I even tried "static (outside,inside) 1.1.1.1 access-list POLICYNAT" with the ACL in reverse but no use.

object-group network VPN-MAP

network-object host 1.1.1.1

network-object host 1.1.1.2

!

access-list POLICYNAT extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT

static (inside,outside) 1.1.1.2 access-list POLICYNAT

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shijogeorge
Level 1
Level 1

‎07-11-2012 04:19 AM

Try splitting the IPs into two ACLs

access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT1

static (inside,outside) 1.1.1.2 access-list POLICYNAT2

HTH

Shijo George

View solution in original post

0 Helpful
3 Replies 3

Go to solution
shijogeorge
Level 1
Level 1

‎07-11-2012 04:19 AM

Try splitting the IPs into two ACLs

access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT1

static (inside,outside) 1.1.1.2 access-list POLICYNAT2

HTH

Shijo George

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to shijogeorge

‎07-11-2012 12:56 PM

Thank you for the reply, when I do that ASA accepts the Static commands but when I look at the config I don't see those commands there at all.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to shijogeorge

‎07-15-2012 01:27 PM

Sorry there was an issue with a typo that worked it needed to be split .  Thank you so much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents