Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT Help

Hi –

I just wanted to verify my config and make sure I’m doing this correctly.

I’m setting up a new ASA VPN firewall for all our vendor site-to-site connections. I don’t want to expose my inside subnets to the vendors so I was going to carve out subnets from a 10.3.0.0/16 space to NAT the traffic.

Example:

-------------------------------

Vendor X subnet

Object network VEND_X_VPN

192.168.1.0 /24

My Internal subnet for vendor X to connect to”

Object network MY_VPN

10.1.60.0/24

Object network VEND_NAT

network 10.3.1.0 255.255.255.0

NAT Statement – this would be applied on my firewall so I’m assuming the Vendor will put the NAT’d address (10.3.1.0/24)in his crypto map to connect to.

nat (inside,outside) source dynamic object-group MY_VPN obj-VEND_NAT destination static VEND_X_VPN VEND_X_VPN

-------------------------------

Does this look right?

Thanks

Mike

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

NAT Help

On your local VPN math address ACL you need to put the 10.3.1.0/24

Value our effort and rate the assistance!
5 REPLIES
Silver

NAT Help

Just change it to source static:

nat (inside,outside) source static object-group MY_VPN obj-VEND_NAT destination static VEND_X_VPN VEND_X_VPN

The VPN portion is correct.

Value our effort and rate the assistance!
Silver

NAT Help

On your local VPN math address ACL you need to put the 10.3.1.0/24

Value our effort and rate the assistance!
Silver

NAT Help

If you have any doubts please let me know.

Please mark as answered and rate the assistance.

Value our effort and rate the assistance!
New Member

NAT Help

Thanks Jumora!

So basically my crypto map ACL will look like:

ACL crypto 1 permit my_vpn vend_nat

So I dint need to reference the vendors 192 subnet because the inside interface is doing the NATing correct?

Regards,

Mike

Silver

NAT Help

Ok wait, from what I understood what you were doing was NATTING your local network so that the remote VPN network would not know of your real network 10.1.60.0/24 so you were going to translate it to 10.3.1.0/24 when going to

192.168.1.0 /24. If this was the case the NAT rule that I going to place under this conversation is correct:

nat (inside,outside) source static object-group MY_VPN obj-VEND_NAT destination static VEND_X_VPN VEND_X_VPN

Then what you need to add on the match address ACL would be somehting like this:

access-list VPN permit ip 10.3.1.0 255.255.255.0 192.168.1.0  255.255.255.0

That is what I was saying.


Value our effort and rate the assistance!
151
Views
0
Helpful
5
Replies
CreatePlease to create content