Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Policy nat with site to site vpn on firewall

site 1-10.1.1.0/24 lan range.

site 2- 20.1.1.0/24 lan range.

since site 1 range is getting used at far end policy nat is used below

on site 1

access-list test 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0

nat(inside) 10 access-list test

global(outside) 10 1.1.1.1

access-list crypto_map 1.1.1.0  255.255.255.0 20.1.1.0 255.255.255.0-  is it correct

access_list nonat 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0-- ( whether 10 range or 1 range needs to be specified)

Does the policy nat config is correct ?

Another thing 1.1.1.0/24 is not assigned to any interface to firewall.

Please assist

4 REPLIES
Super Bronze

Policy nat with site to site vpn on firewall

Hi,

So you want to do Dynamic PAT towards the other site?

So the base information is

  • Site A 10.1.1.0/24
  • Site B 20.1.1.0/24
  • Site A PAT IP 1.1.1.1

When Site A connects to Site B then Site A should be visible to the Site B with the IP address 1.1.1.1

If this is true then the configuration should be (basically your configuration with some corrected typos)

access-list test permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0

nat(inside) 10 access-list test

global(outside) 10 1.1.1.1

access-list crypto_map permit ip host 1.1.1.1 20.1.1.0 255.255.255.0

or

access-list crypto_map permit ip 1.1.1.0  255.255.255.0 20.1.1.0 255.255.255.0

You dont need any statements in some NONAT/NAT0 ACL since we specifically WANT to NAT the LAN network instead of doing NAT0

- Jouni

Community Member

Policy nat with site to site vpn on firewall

As I am doing pat i donot require nat statement right.

what about

1.1.1.0/24 is not assigned to any interface to firewall nor on router.

Thus it work

Super Bronze

Policy nat with site to site vpn on firewall

Hi,

Since you are using the 1.1.1.0/24 only for the L2L VPN connection and NAT purposes it doesnt have to be configured on any interface or be routed on any upstream router. Its visible to the remote site through the L2L VPN connection.

- Jouni

Community Member

Policy nat with site to site vpn on firewall

Thanks that clears the doubt.

So i Can use any ip not mandatory to use public ip .

133
Views
5
Helpful
4
Replies
CreatePlease to create content