Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Headache - ASA 5505 ver 8.2

Hi All

A client wants to setup a site-to-site VPN with us and they want us to traffic Public IP address through the tunnel. The vpn tunnel is between one of our servers (172.16.46.88) and one of their servers. Our server has already been NATted to a public IP address and clients can browse to it without a vpn. (see below)

static (inside,outside) tcp 203.201.183.233 www 172.16.46.88 www netmask 255.255.255.255

static (inside,outside) 203.201.183.233 172.16.46.88 netmask 255.255.255.255

What I’m trying to do is to NAT the server IP address to another public IP address and send that through the tunnel. I tried to do a Policy NAT and got the following error messages

access-list client-vpn extended permit ip host 172.16.46.88 w.x.y.z 255.255.255.0

static (inside,outside) 203.201.183.220 access-list client-vpn

WARNING: real-address conflict with existing static

TCP inside:172.16.46.88/80 to outside:203.201.183.233/80 netmask 255.255.255.255

INFO: overlap with existing static

inside:172.16.46.88 to outside:203.201.183.233 netmask 255.255.255.255

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: NAT Headache - ASA 5505 ver 8.2

As long as the tunnel is going via the outside interface then your "static (inside,outside) ..." statement applies.

So that statement still applies. If the VPN tunnel went via a different interface than the outside interface then it wouldn't but then you wouldn't be getting the overlap errors.

Jon

4 REPLIES
Hall of Fame Super Blue

NAT Headache - ASA 5505 ver 8.2

Why not just use the existing public IP ?

As long as you are specific in your crypto map access-list with their destination server the only traffic that should be sent via the VPN tunnel is when the destination IP is their server IP.

Jon

New Member

NAT Headache - ASA 5505 ver 8.2

Hi Jon

The idea of a crypto map acl is to identify which traffic is to be encrypted and which traffic is not. In this case, the crypto map acl would be something like

access-list client-vpn extended permit ip host 172.16.46.88 host a.b.c.d

access-list client-vpn extended permit ip host 172.16.46.88 host e.f.g.h

where a.b.c.d & e.f.g.h would be the IP address of the destination servers

crypto map outside_map 2 match address client-vpn

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer w.x.y.z

crypto map outside_map 2 set ikev1 ESP-AES-256

Pardon my ignorance, how does the server IP address get translated to the public IP address when it goes through the tunnel?

Hall of Fame Super Blue

Re: NAT Headache - ASA 5505 ver 8.2

As long as the tunnel is going via the outside interface then your "static (inside,outside) ..." statement applies.

So that statement still applies. If the VPN tunnel went via a different interface than the outside interface then it wouldn't but then you wouldn't be getting the overlap errors.

Jon

New Member

NAT Headache - ASA 5505 ver 8.2

Thx Jon

212
Views
0
Helpful
4
Replies