Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1664
Views
0
Helpful
7
Replies

NAT public subnet to private IP through VPN

luckymace
Level 1
Level 1

‎04-10-2007 12:33 PM - edited ‎02-21-2020 02:58 PM

I have a PIX515E, (7.2.2) with several IPSEC VPN's configured. They are "subnet to subnet" with NAT-T. I need a new VPN to a new client that "prohibits routing private IP addresses within their network". So I guess I have to NAT my entire subnet to a private IP address before it goes through the tunnel. How would I do this using the ASDM. Any tips would be greatly appreciated, especially if you have dealt with this type of configuration before.

Thanks in advance

L. Mace

Labels:
0 Helpful
7 Replies 7

ggilbert
Cisco Employee
Cisco Employee

‎04-10-2007 02:57 PM

Hello,

What do you mean by "prohibits routing private IP address within their network"?

a. Do you want your internal network (private address) to show up as a public address on their internal network

or

b. Do you want their internal network to show up as something else on your side?

Which one is it?

If they prohibit routing private IP addresses within their network, your statement "I guess I have to NAT my entire subnet to a private IP address" is contradicting.

Can you please explain to me what you would like to do.

Some example with subnets will be helpful.

Cheers

Gilbert

0 Helpful

luckymace
Level 1
Level 1
In response to ggilbert

‎04-11-2007 12:28 PM

Sorry for the confusion. The answer is

a. I need my internal network, (10.0.4.0/24), to show up as a public address on their internal network. My confusion is how do set that up? I have a couple of ideas but are not sure how they would work.

In the statement that is contradicing I meant to say "to a public IP address.

At any rate I am open to ideas.

At this point I do not have their peer ID or much other information except that they do not route private IP's from a vendors subnet, hence the statement "prohibits routing private IP address within their network".

The only other information that I have is that we will use rdp to connect to about 5 servers on the clients subnet.

Thanks

Lucky Mace

0 Helpful

0rsnaric
Level 1
Level 1
In response to luckymace

‎04-12-2007 12:21 PM

I have the same issue.

I have a tunnel setup to with a client. My lan IP addresses are on the 172.16.X.X network. I need to present a 100.0.10.X address to the tunnel.

The tunnel is setup to allow traffic from 100.0.10.X to 200.0.20.X. 200.0.20.X being the address range of hosts on their network that we need access to from 172.16.X.X.

How do I nat the 172.16.X.X to 100.0.10.X so that it activates the tunnel?

Not trying to steal this thread, but it sounds like exactly the same issue.

Thanks!

0 Helpful

ggilbert
Cisco Employee
Cisco Employee
In response to luckymace

‎04-14-2007 08:16 AM

Lucky,

The simple one to do will be ...

Eg: Remote side network is 192.168.3.0/24

Your side public IP address is 1.1.1.2 on the outside.

Lets say your normal traffic is getting patted through the following satements

nat (inside) 1 10.0.4.0 255.255.255.0

global (outside) 1 interface

Then your encryption acl would be:

access-list encacl per ip host 1.1.1.1 host 192.168.3.0 255.255.255.0

This will allow your traffic to go through the tunnel from the external interface address to the remote side network.

Hope this explains.

Cheers

Gilbert

0 Helpful

luckymace
Level 1
Level 1
In response to ggilbert

‎04-14-2007 06:41 PM

I'll have to try this, I'll let you know when I get the go ahead for this tunnel.

Thanks

L. Mace

0 Helpful

0rsnaric
Level 1
Level 1

‎04-13-2007 02:54 PM

I got mine figured out, maybe it will help you. (Changed the addresses a little for privacy)

First, the tunnel is setup to pass traffic between the public address I need to NAT to, and the addresses on the remote network (the rest of the tunnel parameters are omitted here as they are irrelevant) -

access-list outside_110_cryptomap extended permit ip 123.0.100.0 255.255.255.0 13

9.50.0.0 255.255.0.0

Then I create the dynamic NAT so that any traffic destined to 139.50.0.0 is first NAT'd from my PRIVATE address (172.16.0.0) to the PUBLIC address permitted throught the tunnel.

Global pool of addresses to NAT to -

global (outside) 3 123.0.100.1-123.0.100.254 netmask 255.255.255.0

Access-list that creates the dynamic mapping -

access-list inside_nat_outbound extended permit ip any 139.50.0.0 255.255.0.0

Basically those last two entries say, if traffic is bound for 139.50.0.0 nat it to global pool 3.

Worked like a charm.

Hope that helps.

Rick

0 Helpful

luckymace
Level 1
Level 1
In response to 0rsnaric

‎04-14-2007 06:38 PM

Thanks this makes sense I will try it when I get the go ahead for this tunnel.

Much appreciatd

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents