Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
2
Replies

Can I replace both src and dst ip with policy nat, into VPN?

jilahbg
Level 1
Level 1

‎10-23-2009 04:15 AM - edited ‎03-11-2019 09:30 AM

Hello

I want to setup a L2L-tunnel to a third party. Because of their and our requirements I want to do NAT of both our addresses and theirs in our end. Is that possible?

I'll explain further in attached topology. I have local clients addressed 172.30.30.81-94 that needs to access equipment in the remote end with real IP:s 10.5.10.11-15. However, I want to access these 5 IP:s by addressing them 192.168.7.10,11,20,21,22. Also, my source traffic shouldnt be visible to remote end, I want them to see me as 10.250.192.193-206.

I am trying to do setups like these:

objects:

object-group network VPN-COMPANY_localip_real

network-object 172.30.30.80 255.255.255.240

object-group network VPN-COMPANY_localip_nat

network-object 10.250.192.192 255.255.255.240

object-group network VPN-COMPANY_remoteip_real

network-object host 10.5.10.11

network-object host 10.5.10.12

network-object host 10.5.10.13

network-object host 10.5.10.14

network-object host 10.5.10.15

object-group network VPN-COMPANY_remoteip_nat

network-object host 192.168.7.10

network-object host 192.168.7.11

network-object host 192.168.7.20

network-object host 192.168.7.21

network-object host 192.168.7.22

One per source address:

access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat

access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_real

static (Inside,Internet) 10.250.192.193 access-list VPN-COMPANY_static_193

access-list VPN-COMPANY_static_194 extended permit ip host 172.30.30.82 object-group VPN-COMPANY_remoteip_nat

access-list VPN-COMPANY_static_194 extended permit ip host 172.30.30.82 object-group VPN-COMPANY_remoteip_real

static (Inside,Internet) 10.250.192.194 access-list VPN-COMPANY_static_194

..

..

..

and one for each destination ip:

access-list VPN-COMPANY_static_11 extended permit ip object-group VPN-COMPANY_localip_nat host 192.168.7.10

access-list VPN-COMPANY_static_11 extended permit ip object-group VPN-COMPANY_localip_real host 192.168.7.10

static (Inside,Internet) 10.5.10.11 access-list VPN-COMPANY_static_11

access-list VPN-COMPANY_static_12 extended permit ip object-group VPN-COMPANY_localip_nat host 192.168.7.11

access-list VPN-COMPANY_static_12 extended permit ip object-group VPN-COMPANY_localip_real host 192.168.7.11

static (Inside,Internet) 10.5.10.12 access-list VPN-COMPANY_static_12

..

..

..

but, when entering thise statics for 10.5.10.x i get this error message:

ERROR: access-list used in static has different local addresses

What am I doing wrong? Is this possible to do in ASA 8.x?

Also, as you see my policy nat acl:s are twice as big as they should be. That's because I am not fully sure about which ip:s to use, the real or the natted?

Labels:
Preview file
61 KB
0 Helpful
2 Replies 2

andrew.prince
Level 10
Level 10

‎10-23-2009 06:24 AM

Yes this is possible - but even your config confuses me!!

Try writing the ACL's withour using objects and use specific host IP's.

This will help with the troubleshooting.

HTH>

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎10-23-2009 11:29 AM

Jimmy

Firstly you will need some static (internet,inside) statements.

Try this config -

These static statements allow your inside devices to send traffic to 192.168.7.x addresses which will then get translated t 10.5.0.x addresses on your firewall

access-list VPN-COMPANY_static_193

static (internet,outside) 192.168.7.10 10.0.5.11 netmask 255.255.255.255

static (internet,outside) 192.168.7.11 10.0.5.12 netmask 255.255.255.255

static (internet,outside) 192.168.7.20 10.0.5.13 netmask 255.255.255.255

static (internet,outside) 192.168.7.21 10.0.5.14 netmask 255.255.255.255

static (internet,outside) 192.168.7.22 10.0.5.15 netmask 255.255.255.255

You need to use the Natted IP's in your acl ie. from your above example -

access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat

static (inside,internet) 10.250.192.193 access-list VPN-COMPANY_static_193

and you do this for each source IP.

As for your access-list and statics for the destination address, you don't need them because they have already been taken care of with the first static statements in my post.

Note - that because you are translating 192.168.7.x to 10.0.5.x addressing i'm assuming you don't need to do conditional NAT as you have to do with your source addressing because nothing will try to get 192.168.7.x unless it is via the VPN tunnel.

If i have assumed wrongly you will need to modify the first set of static statements with acls.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card