08-26-2010 11:52 AM - edited 03-11-2019 11:31 AM
Hello, I am having some issues with adding a policy-nat for a L2L vpn in order to nat all the private address sent across the tunnel to single address (9.43.121.7).
When i try to add the statement:
static (inside,outside) 9.43.131.7 access-list vpn-policy-nat
I get the error:
"ERROR: access-list used in static has different local addresses"
I do want address 11.0.10.150 to send across as the real address, and is working.
Relavent config below:
access-list vpn_map extended permit ip host 9.43.131.7 host 104.9.57.148
access-list vpn_map extended permit ip host 11.0.10.150 host 104.9.57.179
access-list inside_nat0_outbound extended permit ip host 11.0.10.150 host 104.9.57.179
access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 138.1.0.0 255.255.0.0
nat (inside) 1 11.0.0.0 255.0.0.0
crypto map vpn_map 10 match address vpn_map
Any ideas would be greatly appreciated? I am running version 7.2.5 on the ASA 5510
Thanks
08-26-2010 12:24 PM
Hello,
You are actually doing PAT for the VPN that's not going to work.. What is the firewall going to do when it receives a packets destinated to 9.43.131.7 ??
You have several IP sources in the ACL
access-list vpn-policy-nat extended permit ip host 11.0.0.30 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.10 host 104.9.57.148
access-list vpn-policy-nat at extended permit ip host 11.0.0.11 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.12 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.13 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.14 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.21 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.23 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.0.94 host 104.9.57.148
access-list vpn-policy-nat extended permit ip host 11.0.5.100 host 104.9.57.148
There is a configuration example right here:
Check the difference with your config
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0
|
In this example we are matching a 24 bit network goint to a 24 network.. it will be natted to a 24 network as well. 172.18.1.0
Hope It helps.
08-26-2010 01:20 PM
Thanks for the replay,
figured it out.
Added:
nat (inside) 11 access-list vpn-policy-nat
global (outside) 11 9.43.131.7
instead of the static (inside,outside) and it works. I only needed the vpn to go one way (outbound).
Thank you very much!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: