Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to Setup Policy-Based NAT for Partner S2S VPN

Hello,

I have been asked to setup a IPSec site-to-site VPN with a company partner.  They require that we NAT our internal hosts to a different network before sending across the tunnel.  These same internal hosts need regular Internet access.  I only want to NAT to a global address if the destination matches certain hosts or subnets.  Otherwise, the address should be sent to regular outbound NAT overload.

Have the following networks needing "conditional" NAT:

172.16.4.0/24

172.16.7.0/24

Remote networks on the partner side are:

10.0.60.0/24

10.0.72.0/24

They've asked that we NAT our hosts to 10.29.96.x.  They will then apply inbound filtering on 10.29.96.x.

Can anybody provide with the needed access list(s) and NAT statement(s) for my side?

This is a Cisco ASA 5520 to Cisco ASA 5520 IPSec tunnel...

Thanks to everyone in advance!!

Ben Warner

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

How to Setup Policy-Based NAT for Partner S2S VPN

Ben,

Here's how I would go about it.  For argument's sake, let's say the partner is called Acme.

object-group network ACME-REMOTE

network 10.0.60.0 255.255.255.0

network 10.0.72.0 255.255.255.0

object-group network ACME-LOCAL

network 172.16.4.0 255.255.255.0

network 172.16.7.0 255.255.255.0

access-list ACME-L2L-PNAT permit ip object-group ACME-LOCAL object-group ACME-REMOTE

nat (inside) 50 access-list ACME-L2L-PNAT

global (outside) 50 10.29.96.1

This configuration will translate the traffic coming from your two internal subnets to 10.29.96.1 only when going to their two subnets.

Matt

2 REPLIES
New Member

How to Setup Policy-Based NAT for Partner S2S VPN

Ben,

Here's how I would go about it.  For argument's sake, let's say the partner is called Acme.

object-group network ACME-REMOTE

network 10.0.60.0 255.255.255.0

network 10.0.72.0 255.255.255.0

object-group network ACME-LOCAL

network 172.16.4.0 255.255.255.0

network 172.16.7.0 255.255.255.0

access-list ACME-L2L-PNAT permit ip object-group ACME-LOCAL object-group ACME-REMOTE

nat (inside) 50 access-list ACME-L2L-PNAT

global (outside) 50 10.29.96.1

This configuration will translate the traffic coming from your two internal subnets to 10.29.96.1 only when going to their two subnets.

Matt

New Member

How to Setup Policy-Based NAT for Partner S2S VPN

Thanks Matt!!

Ben Warner

766
Views
0
Helpful
2
Replies