Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
1
Replies

Access-list for Site-to-Site IPSEC Tunnel

GREG HARPER
Level 1
Level 1

‎12-02-2011 12:29 PM - edited ‎02-21-2020 05:44 PM

How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel?  I'm using an ASA5520 running 8.04.

I have four hosts say: 10.240.1.1-10.240.1.4

They need access to two different networks:

205.100.150.0

140.175.200.0

I woud like to NAT them as something like:

7.5.210.1

7.5.210.2

7.5.210.3

7.5.210.4 

Labels:
0 Helpful
1 Reply 1

Patrick0711
Level 3
Level 3

‎12-02-2011 01:10 PM

Something like:

static (inside,outside) 7.5.210.0 access-list policy-nat

access-list policy-nat permit ip 10.240.1.0 255.255.255.248 205.100.150.0 255.255.255.0

access-list policy-nat permit ip 10.240.1.0 255.255.255.248 140.175.200.0 255.255.255.0

Then reference the policy NAT subnet in your crypto access-list

access-list cryptoACL permit ip 7.5.210.0 255.255.255.248 205.100.150.0 255.255.255.0

access-list cryptoACL permit ip 7.5.210.0 255.255.255.248 140.175.200.0 255.255.255.0

I know you wanted to just use 4 addresses but summarizing them in to a /29 is much easier than having individual policy NAT configurations.  Just make sure that static is placed above any existing statics that may use the same internal addresses. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents