07-10-2012 03:32 PM - edited 02-21-2020 06:11 PM
I have like over 150 VPN's on my ASA 5520. One specific customer I am setting up a VPN with has an overlap with two of the IP's he needs to reach from his internal network. He is NATing his internal network to 10.251.11.177 so traffic getting to my ASA is presenting itself as 10.251.11.177 from the 10.251.11.176/29 network. Now the two IP's from his internal network he needs to reach are 10.1.254.200 and 10.1.254.201.
So following some documentation on Cisco website I am trying to do Policy Based Routing on the ASA 5520 (my end) so that his traffic goes to 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201. Once it reaches my ASA 5520 it gets tranlated back to those IP's.
I'm trying to use the following configuration but when I try to add the static entries it won't let me add them. I even tried "static (outside,inside) 1.1.1.1 access-list POLICYNAT" with the ACL in reverse but no use.
object-group network VPN-MAP
network-object host 1.1.1.1
network-object host 1.1.1.2
!
access-list POLICYNAT extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248
access-list POLICYNAT extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248
!
static (inside,outside) 1.1.1.1 access-list POLICYNAT
static (inside,outside) 1.1.1.2 access-list POLICYNAT
Solved! Go to Solution.
07-11-2012 04:19 AM
Try splitting the IPs into two ACLs
access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248
access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248
!
static (inside,outside) 1.1.1.1 access-list POLICYNAT1
static (inside,outside) 1.1.1.2 access-list POLICYNAT2
HTH
Shijo George
07-11-2012 04:19 AM
Try splitting the IPs into two ACLs
access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248
access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248
!
static (inside,outside) 1.1.1.1 access-list POLICYNAT1
static (inside,outside) 1.1.1.2 access-list POLICYNAT2
HTH
Shijo George
07-11-2012 12:56 PM
Thank you for the reply, when I do that ASA accepts the Static commands but when I look at the config I don't see those commands there at all.
07-15-2012 01:27 PM
Sorry there was an issue with a typo that worked it needed to be split . Thank you so much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: