×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Policy nat with site to site vpn on firewall

Unanswered Question
Jul 9th, 2013
User Badges:

site 1-10.1.1.0/24 lan range.



site 2- 20.1.1.0/24 lan range.



since site 1 range is getting used at far end policy nat is used below



on site 1



access-list test 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0



nat(inside) 10 access-list test



global(outside) 10 1.1.1.1





access-list crypto_map 1.1.1.0  255.255.255.0 20.1.1.0 255.255.255.0-  is it correct



access_list nonat 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0-- ( whether 10 range or 1 range needs to be specified)





Does the policy nat config is correct ?







Another thing 1.1.1.0/24 is not assigned to any interface to firewall.



Please assist

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Tue, 07/09/2013 - 04:30
User Badges:
  • Super Bronze, 10000 points or more

Hi,


So you want to do Dynamic PAT towards the other site?


So the base information is

  • Site A 10.1.1.0/24
  • Site B 20.1.1.0/24
  • Site A PAT IP 1.1.1.1


When Site A connects to Site B then Site A should be visible to the Site B with the IP address 1.1.1.1


If this is true then the configuration should be (basically your configuration with some corrected typos)


access-list test permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0


nat(inside) 10 access-list test

global(outside) 10 1.1.1.1



access-list crypto_map permit ip host 1.1.1.1 20.1.1.0 255.255.255.0


or


access-list crypto_map permit ip 1.1.1.0  255.255.255.0 20.1.1.0 255.255.255.0


You dont need any statements in some NONAT/NAT0 ACL since we specifically WANT to NAT the LAN network instead of doing NAT0


- Jouni

prashantrecon Tue, 07/09/2013 - 04:54
User Badges:

As I am doing pat i donot require nat statement right.


what about


1.1.1.0/24 is not assigned to any interface to firewall nor on router.


Thus it work

Jouni Forss Tue, 07/09/2013 - 04:59
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Since you are using the 1.1.1.0/24 only for the L2L VPN connection and NAT purposes it doesnt have to be configured on any interface or be routed on any upstream router. Its visible to the remote site through the L2L VPN connection.


- Jouni

prashantrecon Tue, 07/09/2013 - 05:53
User Badges:

Thanks that clears the doubt.


So i Can use any ip not mandatory to use public ip .

Actions

This Discussion