Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy NAT for AH/ESP and tcp

Hello all,

is it possible to policy NAT for AH/ESP and tcp on the same single IP address (two different protocol types)?

Objective = pass an IPSEC VPN through (not terminate) an ASA 5500 and share that public with another circuit.

i.e.

static (inside,outside) tcp 1.2.3.4 25 172.20.1.1 8080 netmask 255.255.255.255

!NAT anything arriving on my public 1.2.3.4 with dst port 25 to 172.20.1.1 port 8080 inside my LAN

!

static (inside,outside) AH 1.2.3.4  172.20.1.2 AH netmask 255.255.255.255

static (inside,outside) ESP 1.2.3.4  172.20.1.2 ESP netmask 255.255.255.255

static (inside,outside) udp 1.2.3.4  500 172.20.1.2 500 netmask 255.255.255.255

static (inside,outside) udp 1.2.3.4 4500 172.20.1.2 4500 netmask 255.255.255.255

!Pass an IPSEC tunnel through firewall to termination point 172.20.1.2 = 1.2.3.4 can be used for two circuits.

Thank you in advance.

Everyone's tags (2)
3 ACCEPTED SOLUTIONS

Accepted Solutions

Policy NAT for AH/ESP and tcp

I suggest you to use Access-list based policy nat to achive your 1st query. Please clarify me if your requirement is something else.

Policy NAT for AH/ESP and tcp

Hi ,

Yes you can have the ACL like that i suggest you can go for PAT.

nat (inside) 1 access-list policyNAT-share

global (outside) 1 1.2.3.4

so all the traffic matches the acl rule will get translated accordingly.

like the above and it should work then. Please try that let me know if that works or not.

Please do rating if the given info helps you.

By

Karthik

Policy NAT for AH/ESP and tcp

yes... you can make any number subjected to your present configuration.

Please do rating if the given info helps.

By

Karthik

7 REPLIES
New Member

Policy NAT for AH/ESP and tcp

I.e. I want to use one of my Public facing IP addresses to accept two circuits for static NAT

1 To NAT an IPSEC circuit to a IPSEC termination device on my private LAN (AH, ESP, udp 500 and udp 4500)

2: To NAT a tcp circuit to a different device on my private network.

Or;

Can the ASA 5500 policy NAT the above on one IP address on my outside interface to two inside devices (tcp traffic to device A and IPSEC traffic to device B) ???

Policy NAT for AH/ESP and tcp

I suggest you to use Access-list based policy nat to achive your 1st query. Please clarify me if your requirement is something else.

New Member

Policy NAT for AH/ESP and tcp

I want to use 1 public IP address NATTed to 2 internal private IP addresses.

1: NAT an IPSEC circuit terminating on 172.20.1.2 and appears as 1.2.3.4 on the Internet

2: NAT a tcp circuit to 172.20.1.1 8080 for traffic arriving on 1.2.3.4 on port 25.

!Like this??

access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500  host 1.2.3.4 eq 500

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500

!And the other circuit

access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25

!

static (inside,outside) 1.2.3.4 access-list policyNAT-share

Policy NAT for AH/ESP and tcp

Hi ,

Yes you can have the ACL like that i suggest you can go for PAT.

nat (inside) 1 access-list policyNAT-share

global (outside) 1 1.2.3.4

so all the traffic matches the acl rule will get translated accordingly.

like the above and it should work then. Please try that let me know if that works or not.

Please do rating if the given info helps you.

By

Karthik

New Member

Policy NAT for AH/ESP and tcp

!I have used global (outside) 1 and 2 already. This is what I was thinking.

!

access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500  host 1.2.3.4 eq 500

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500

!And the other circuit

access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25

!

nat (inside) 3 access-list policyNAT-share

!

global (outside) 3 1.2.3.4 netmask 255.255.255.255

!

!??????

Policy NAT for AH/ESP and tcp

yes... you can make any number subjected to your present configuration.

Please do rating if the given info helps.

By

Karthik

Policy NAT for AH/ESP and tcp

Thanks Gera for your rating. Assuming that works for you.

Regards

Karthik

741
Views
0
Helpful
7
Replies
CreatePlease login to create content