Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1329
Views
0
Helpful
4
Replies

ASA 5505 - NAT 1 to 1 help

mariomark
Level 1
Level 1

‎10-11-2010 01:36 AM - edited ‎03-11-2019 11:52 AM

Hi All,

I have Cisco ASA5505 configured with one inside VLAN (10.10.10.x) and one OUTSIDE VLAN.

I have activated an IpSec Site to Site TUNNEL VPN with a partner and he wants to see my network like 10.10.20.x (instead of 10.10.10.x) because he has already 10.10.10.x listed in his network.

How can I do it? I cannot change my internal addresses. So I think that we have configure something that translate my address before enter into the tunnel.

How can I do it?

Thanks.

Labels:
0 Helpful
4 Replies 4

kalavi
Level 1
Level 1

‎10-11-2010 02:29 AM

Hi,

This is the most common scenario we use to face while creating site-to-site VPN

We need to configure a static NAT on both the ASA/PIX which would translate the IP's into some other IP ranges.

Then we need to specify static routes for these new statically mapped IP address on both the side.

Here is a link for same scenario but it is written with reference to checkpoint firewall:

http://docs.spruce.se/docs/5_0/10-to-10_net_using_VPN_and_NAT_NG_and_41.pdf

Hope it might help you,

Khubaib

0 Helpful

mariomark
Level 1
Level 1
In response to kalavi

‎10-11-2010 05:51 AM

Hi Khubaib,

thanks for your reply. Your document is very useful and I understood the topology of the configuration.

BUT I don't know how to configure with CISCO ASA5505, your document is made for check point.

Sorry but I'm not very Expert of CISCO.

Thanks!

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to mariomark

‎10-11-2010 05:58 AM

Hi,

If you are running version 8.2 or prior on your ASA, the below document will help you with it.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

More specifically, you will have to use "Static policy NAT", that is, "static nat with an access-list" for this to work out. Let me know if this helps!! If you have any doubts, please feel free to post them.

Thanks and Regards,

Prapanch

0 Helpful

Jay Johnston
Cisco Employee
Cisco Employee

‎10-11-2010 01:39 PM

To configure this on version 8.3 and greater on the 5505, it will be necessary to perform bi-directional NAT. Your remote location can access your network using the 10.10.20.0/24 network, and in this example we'll have your internal subnet access the remote 10.10.10.0/24 network using the mapped address 10.10.30.0/24.

Your local lan will send packets to 10.10.30.0/24, and the remote lan will send packets to 10.10.20.0/24, and the ASA will take care of the bi-directional NAT.

object network insideReal

subnet 10.10.10.0 255.255.255.0

object network insideMapped

subnet 10.10.20.0 255.255.255.0

object network outsideReal

subnet 10.10.10.0 255.255.255.0

object network outsideMapped

subnet 10.10.30.0 255.255.255.0


nat (inside,outside) source static insideReal insideMapped destination static outsideMapped outsideReal
And the packet-tracer output, showing a sample packet being translated and allowed through the ASA:
ASA83# packet-tracer input inside icmp  10.10.10.1 8 0  10.10.30.1
...
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static insideReal insideMapped destination static outsideMapped outsideReal
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.30.1/0 to 10.10.10.1/0
...
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static insideReal insideMapped destination static outsideMapped outsideReal
Additional Information:
Static translate 10.10.10.1/0 to 10.10.20.1/0
...
And the packet captures on the inside and outside interfaces showing the bidirectional translation:
ASA83#
ASA83# show cap
capture out type raw-data interface outside [Capturing - 260 bytes]
  match icmp any any
capture in type raw-data interface inside [Capturing - 260 bytes]
  match icmp any any
ASA83#         
ASA83#
ASA83# show cap in

2 packets captured

   1: 20:38:54.419640 10.10.10.1 > 10.10.30.1: icmp: echo request
   2: 20:38:54.421563 10.10.30.1 > 10.10.10.1: icmp: echo reply
2 packets shown
ASA83#
ASA83# show cap out

2 packets captured

   1: 20:38:54.419778 10.10.20.1 > 10.10.10.1: icmp: echo request
   2: 20:38:54.421548 10.10.10.1 > 10.10.20.1: icmp: echo reply
2 packets shown
ASA83#
ASA83#

Note that the ASA will need to have a route to not only the local LAN segment, but the remote LAN segment. To add this duplicate route, increase the metric for the route facing out the outside interface:

route inside 10.10.10.0 255.255.255.0 10.0.0.2 1

route outside 10.10.10.0 255.255.255.0 192.168.2.5 2

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card