Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
4
Replies

NAT Headache - ASA 5505 ver 8.2

Go to solution
mmapa1980
Level 1
Level 1

‎01-20-2014 07:13 PM - edited ‎03-07-2019 05:41 PM

Hi All

A client wants to setup a site-to-site VPN with us and they want us to traffic Public IP address through the tunnel. The vpn tunnel is between one of our servers (172.16.46.88) and one of their servers. Our server has already been NATted to a public IP address and clients can browse to it without a vpn. (see below)

static (inside,outside) tcp 203.201.183.233 www 172.16.46.88 www netmask 255.255.255.255

static (inside,outside) 203.201.183.233 172.16.46.88 netmask 255.255.255.255

What I’m trying to do is to NAT the server IP address to another public IP address and send that through the tunnel. I tried to do a Policy NAT and got the following error messages

access-list client-vpn extended permit ip host 172.16.46.88 w.x.y.z 255.255.255.0

static (inside,outside) 203.201.183.220 access-list client-vpn

WARNING: real-address conflict with existing static

TCP inside:172.16.46.88/80 to outside:203.201.183.233/80 netmask 255.255.255.255

INFO: overlap with existing static

inside:172.16.46.88 to outside:203.201.183.233 netmask 255.255.255.255

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mmapa1980

‎01-22-2014 01:57 AM

As long as the tunnel is going via the outside interface then your "static (inside,outside) ..." statement applies.

So that statement still applies. If the VPN tunnel went via a different interface than the outside interface then it wouldn't but then you wouldn't be getting the overlap errors.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-21-2014 01:01 AM

Why not just use the existing public IP ?

As long as you are specific in your crypto map access-list with their destination server the only traffic that should be sent via the VPN tunnel is when the destination IP is their server IP.

Jon

0 Helpful

Go to solution
mmapa1980
Level 1
Level 1
In response to Jon Marshall

‎01-21-2014 04:21 PM

Hi Jon

The idea of a crypto map acl is to identify which traffic is to be encrypted and which traffic is not. In this case, the crypto map acl would be something like

access-list client-vpn extended permit ip host 172.16.46.88 host a.b.c.d

access-list client-vpn extended permit ip host 172.16.46.88 host e.f.g.h

where a.b.c.d & e.f.g.h would be the IP address of the destination servers

crypto map outside_map 2 match address client-vpn

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer w.x.y.z

crypto map outside_map 2 set ikev1 ESP-AES-256

Pardon my ignorance, how does the server IP address get translated to the public IP address when it goes through the tunnel?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mmapa1980

‎01-22-2014 01:57 AM

As long as the tunnel is going via the outside interface then your "static (inside,outside) ..." statement applies.

So that statement still applies. If the VPN tunnel went via a different interface than the outside interface then it wouldn't but then you wouldn't be getting the overlap errors.

Jon

0 Helpful

Go to solution
mmapa1980
Level 1
Level 1
In response to Jon Marshall

‎01-22-2014 04:18 PM

Thx Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card