03-09-2007 02:12 PM - edited 02-21-2020 02:55 PM
We just implemented a site to site tunnel with another network and now need to NAT addresses from our LAN through the tunnel. Not sure how to do this correctly, and without breaking anything else.
The internal network is 172.16.0.0. The tunnel allows traffic between 1.1.0.0 and 2.2.0.0. I need to translate 172.16.0.0 to 2.2.0.0 to get to 1.1.0.0. Is there a way to do this on the ASA? Or do I need a router in front of the ASA to NAT addresses? Currently 172.16.0.0 is being NAT'd outbound to a global pool for internet traffic, and that needs to stay in place.
Thanks
03-09-2007 03:14 PM
Create an ACL :
access-list policy_nat permit ip 172.16.0.0 255.255.0.0 1.1.0.0 255.255.0.0
Create a static NAT with policy :
static (inside,outside) 2.2.0.0 access-list policy_nat
And your crypto ACL will look like :
access-list cry_acl permit ip 2.2.0.0 255.255.0.0 1.1.0.0 255.255.0.0
That would not affect any other tunnel or the Internet traffic.
*Please rate if helped.
-Kanishka
03-26-2007 02:23 PM
Hi Kanishka,
static (inside,outside) 2.2.0.0 access-list policy_nat doesn't take. I get an error at policy_nat.
access-list policy_nat permit ip 172.16.0.0 255.255.0.0 1.1.0.0 255.255.0.0 is okay.
Any suggestions?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: