Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Policy NAT

Hello folks,

I am new to policy NAT, we have ASA 5505 and I am trying to create a policy NAT to connect my network to anohter location through the VPN tunnel, I do not have any problem creating the VPN tunnel, the only problem is:

my inside network is 10.0.5.0/24  and my other end is 192.168.181.0 /28

I am trying to connect to 192.168.181.0 /28 by using this subnet 192.168.182.0 /28

I want the other end to see my network as 192.168.182.0 /28

access-list 105 extended permit ip 192.168.182.16 255.255.255.240 192.168.181.16 255.255.255.240
access-list NAT-T extended permit ip host 10.0.5.1 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.240

then the normal configuratoin for the VPN tunnel.

Thanks for your help.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Policy NAT

Hi,

You'll want to use a policy nat with the 'static' command to achieve this. The mapped subnet needs to be the same size as the original subnet. For example, 10.0.5.0/24 can be mapped to 192.168.182.0/24, but not 192.168.182.0 /28.

Here is the sample config:

access-list policy-nat permit ip 10.0.5.0 255.255.255.0 192.168.181.0 255.255.255.0

static (inside,outside) 192.168.182.0 access-list policy-nat

For a more detailed example, see PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Cisco Employee

Re: Policy NAT

Your config should be something like this


access-list NAT-T extended permit ip host 10.0.5.0 255.255.255.0 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.0


You need to have the available ips to be as many as your internal hosts though in order to be able to translate them all.

I hope it helps.

PK

6 REPLIES
Cisco Employee

Re: Policy NAT

Hi,

You'll want to use a policy nat with the 'static' command to achieve this. The mapped subnet needs to be the same size as the original subnet. For example, 10.0.5.0/24 can be mapped to 192.168.182.0/24, but not 192.168.182.0 /28.

Here is the sample config:

access-list policy-nat permit ip 10.0.5.0 255.255.255.0 192.168.181.0 255.255.255.0

static (inside,outside) 192.168.182.0 access-list policy-nat

For a more detailed example, see PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

New Member

Re: Policy NAT

Thaks for yoru response, I am wondering about the same size of subnet, is this a limitation with the ASA or what?

I will try it tomorrow then let you guys know, thanks for the link.

Cisco Employee

Re: Policy NAT

Your config should be something like this


access-list NAT-T extended permit ip host 10.0.5.0 255.255.255.0 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.0


You need to have the available ips to be as many as your internal hosts though in order to be able to translate them all.

I hope it helps.

PK

New Member

Re: Policy NAT

Thanks alot for your response.

Cisco Employee

Re: Policy NAT

Please let us know if it works by marking this as answered so others can benefit from it in the futre.

Take care,

PK

New Member

Re: Policy NAT

it's working like charm, thanks a lot for your answer, I tried both solutions your method and the other method, both methods are working with /24, I tried /28 but it did not work, Witsang  was right about the size of the subnet.

Thanks again.

751
Views
0
Helpful
6
Replies
CreatePlease to create content