Policy-Nat for VPN L2L (ASA 5510)

jventura · ‎08-26-2010

Hello, I am having some issues with adding a policy-nat for a L2L vpn in order to nat all the private address sent across the tunnel to single address (9.43.121.7).

When i try to add the statement:

static (inside,outside) 9.43.131.7 access-list vpn-policy-nat

I get the error:

"ERROR: access-list used in static has different local addresses"

I do want address 11.0.10.150 to send across as the real address, and is working.

Relavent config below:

access-list vpn_map extended permit ip host 9.43.131.7 host 104.9.57.148
access-list vpn_map extended permit ip host 11.0.10.150 host 104.9.57.179

access-list inside_nat0_outbound extended permit ip host 11.0.10.150 host 104.9.57.179
access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 138.1.0.0 255.255.0.0
nat (inside) 1 11.0.0.0 255.0.0.0

crypto map vpn_map 10 match address vpn_map

Any ideas would be greatly appreciated? I am running version 7.2.5 on the ASA 5510

Thanks

Diego Armando Cambronero Arias · ‎08-26-2010

Hello,

You are actually doing PAT for the VPN that's not going to work.. What is the firewall going to do when it receives a packets destinated to 9.43.131.7 ??

You have several IP sources in the ACL

access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148

There is a configuration example right here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Check the difference with your config

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.18.1.0  access-list policy-nat

In this example we are matching a 24 bit network goint to a 24 network.. it will be natted to a 24 network as well. 172.18.1.0

Hope It helps.

jventura · ‎08-26-2010

Thanks for the replay,

figured it out.

Added:

nat (inside) 11 access-list vpn-policy-nat

global (outside) 11 9.43.131.7

instead of the static (inside,outside) and it works. I only needed the vpn to go one way (outbound).

Thank you very much!