Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can I replace both src and dst ip with policy nat, into VPN?

Hello

I want to setup a L2L-tunnel to a third party. Because of their and our requirements I want to do NAT of both our addresses and theirs in our end. Is that possible?

I'll explain further in attached topology. I have local clients addressed 172.30.30.81-94 that needs to access equipment in the remote end with real IP:s 10.5.10.11-15. However, I want to access these 5 IP:s by addressing them 192.168.7.10,11,20,21,22. Also, my source traffic shouldnt be visible to remote end, I want them to see me as 10.250.192.193-206.

I am trying to do setups like these:

objects:

object-group network VPN-COMPANY_localip_real

network-object 172.30.30.80 255.255.255.240

object-group network VPN-COMPANY_localip_nat

network-object 10.250.192.192 255.255.255.240

object-group network VPN-COMPANY_remoteip_real

network-object host 10.5.10.11

network-object host 10.5.10.12

network-object host 10.5.10.13

network-object host 10.5.10.14

network-object host 10.5.10.15

object-group network VPN-COMPANY_remoteip_nat

network-object host 192.168.7.10

network-object host 192.168.7.11

network-object host 192.168.7.20

network-object host 192.168.7.21

network-object host 192.168.7.22

One per source address:

access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat

access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_real

static (Inside,Internet) 10.250.192.193 access-list VPN-COMPANY_static_193

access-list VPN-COMPANY_static_194 extended permit ip host 172.30.30.82 object-group VPN-COMPANY_remoteip_nat

access-list VPN-COMPANY_static_194 extended permit ip host 172.30.30.82 object-group VPN-COMPANY_remoteip_real

static (Inside,Internet) 10.250.192.194 access-list VPN-COMPANY_static_194

..

..

..

and one for each destination ip:

access-list VPN-COMPANY_static_11 extended permit ip object-group VPN-COMPANY_localip_nat host 192.168.7.10

access-list VPN-COMPANY_static_11 extended permit ip object-group VPN-COMPANY_localip_real host 192.168.7.10

static (Inside,Internet) 10.5.10.11 access-list VPN-COMPANY_static_11

access-list VPN-COMPANY_static_12 extended permit ip object-group VPN-COMPANY_localip_nat host 192.168.7.11

access-list VPN-COMPANY_static_12 extended permit ip object-group VPN-COMPANY_localip_real host 192.168.7.11

static (Inside,Internet) 10.5.10.12 access-list VPN-COMPANY_static_12

..

..

..

but, when entering thise statics for 10.5.10.x i get this error message:

ERROR: access-list used in static has different local addresses

What am I doing wrong? Is this possible to do in ASA 8.x?

Also, as you see my policy nat acl:s are twice as big as they should be. That's because I am not fully sure about which ip:s to use, the real or the natted?

2 REPLIES

Re: Can I replace both src and dst ip with policy nat, into VPN?

Yes this is possible - but even your config confuses me!!

Try writing the ACL's withour using objects and use specific host IP's.

This will help with the troubleshooting.

HTH>

Hall of Fame Super Blue

Re: Can I replace both src and dst ip with policy nat, into VPN?

Jimmy

Firstly you will need some static (internet,inside) statements.

Try this config -

These static statements allow your inside devices to send traffic to 192.168.7.x addresses which will then get translated t 10.5.0.x addresses on your firewall

access-list VPN-COMPANY_static_193

static (internet,outside) 192.168.7.10 10.0.5.11 netmask 255.255.255.255

static (internet,outside) 192.168.7.11 10.0.5.12 netmask 255.255.255.255

static (internet,outside) 192.168.7.20 10.0.5.13 netmask 255.255.255.255

static (internet,outside) 192.168.7.21 10.0.5.14 netmask 255.255.255.255

static (internet,outside) 192.168.7.22 10.0.5.15 netmask 255.255.255.255

You need to use the Natted IP's in your acl ie. from your above example -

access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat

static (inside,internet) 10.250.192.193 access-list VPN-COMPANY_static_193

and you do this for each source IP.

As for your access-list and statics for the destination address, you don't need them because they have already been taken care of with the first static statements in my post.

Note - that because you are translating 192.168.7.x to 10.0.5.x addressing i'm assuming you don't need to do conditional NAT as you have to do with your source addressing because nothing will try to get 192.168.7.x unless it is via the VPN tunnel.

If i have assumed wrongly you will need to modify the first set of static statements with acls.

Jon

259
Views
0
Helpful
2
Replies
CreatePlease to create content