Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
5
Helpful
4
Replies

Policy nat with site to site vpn on firewall

prashantrecon
Level 1
Level 1

‎07-09-2013 04:22 AM - edited ‎03-11-2019 07:09 PM

site 1-10.1.1.0/24 lan range.

site 2- 20.1.1.0/24 lan range.

since site 1 range is getting used at far end policy nat is used below

on site 1

access-list test 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0

nat(inside) 10 access-list test

global(outside) 10 1.1.1.1

access-list crypto_map 1.1.1.0  255.255.255.0 20.1.1.0 255.255.255.0-  is it correct

access_list nonat 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0-- ( whether 10 range or 1 range needs to be specified)

Does the policy nat config is correct ?

Another thing 1.1.1.0/24 is not assigned to any interface to firewall.

Please assist

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎07-09-2013 04:30 AM

Hi,

So you want to do Dynamic PAT towards the other site?

So the base information is

  • Site A 10.1.1.0/24
  • Site B 20.1.1.0/24
  • Site A PAT IP 1.1.1.1

When Site A connects to Site B then Site A should be visible to the Site B with the IP address 1.1.1.1

If this is true then the configuration should be (basically your configuration with some corrected typos)

access-list test permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0

nat(inside) 10 access-list test

global(outside) 10 1.1.1.1

access-list crypto_map permit ip host 1.1.1.1 20.1.1.0 255.255.255.0

or

access-list crypto_map permit ip 1.1.1.0  255.255.255.0 20.1.1.0 255.255.255.0

You dont need any statements in some NONAT/NAT0 ACL since we specifically WANT to NAT the LAN network instead of doing NAT0

- Jouni

0 Helpful

prashantrecon
Level 1
Level 1
In response to Jouni Forss

‎07-09-2013 04:54 AM

As I am doing pat i donot require nat statement right.

what about

1.1.1.0/24 is not assigned to any interface to firewall nor on router.

Thus it work

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to prashantrecon

‎07-09-2013 04:59 AM

Hi,

Since you are using the 1.1.1.0/24 only for the L2L VPN connection and NAT purposes it doesnt have to be configured on any interface or be routed on any upstream router. Its visible to the remote site through the L2L VPN connection.

- Jouni

prashantrecon
Level 1
Level 1
In response to Jouni Forss

‎07-09-2013 05:53 AM

Thanks that clears the doubt.

So i Can use any ip not mandatory to use public ip .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card