Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VPN Tunnel with static policy NAT?

I am in the process of configuring a tunnel between our company and an outside vendor. The outside vendor has our same address space in use on their network as well. We had this setup on our existing Nortel VPN equipment and it was working.

I have setup the tunnel as follows:

object-group network DM_INLINE_NETWORK_75

network-object host 172.x.x.129

network-object host 172.x.x.130

network-object host 172.x.x.131

network-object host 172.x.x.132

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_75 143.x.x.128

access-list inside_nat_static_1 extended permit ip host 10.x.x.136 143.x.x.128

access-list inside_nat_static_2 extended permit ip host 10.x.x.137 143.x.x.128

access-list inside_nat_static_3 extended permit ip host 10.x.x.138 143.x.x.128

access-list inside_nat_static_4 extended permit ip host 10.x.x.135 143.x.x.128

static (inside,inside) 172.x.x.129 access-list inside_nat_static_1

static (inside,inside) 172.x.x.131 access-list inside_nat_static_2

static (inside,inside) 172.x.x.132 access-list inside_nat_static_3

static (inside,inside) 172.x.x.130 access-list inside_nat_static_4

route inside 172.x.x.128 10.x.x.1 1

crypto map outside_map 2 set peer 207.x.x.110

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

I was guessing that I needed a static policy NAT since I only want these devices to use this NAT if they are headed over this tunnel.

How far off base am I?


Re: ASA VPN Tunnel with static policy NAT?

Static NAT needs to be configured on ASA if two websites has same range of address. But slowly shift the ip address range and remove Nat statements for better performance.