Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list for Site-to-Site IPSEC Tunnel

How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel?  I'm using an ASA5520 running 8.04.

I have four hosts say: 10.240.1.1-10.240.1.4

They need access to two different networks:

205.100.150.0

140.175.200.0

I woud like to NAT them as something like:

7.5.210.1

7.5.210.2

7.5.210.3

7.5.210.4 

1 REPLY
Bronze

Re: Access-list for Site-to-Site IPSEC Tunnel

Something like:

static (inside,outside) 7.5.210.0 access-list policy-nat

access-list policy-nat permit ip 10.240.1.0 255.255.255.248 205.100.150.0 255.255.255.0

access-list policy-nat permit ip 10.240.1.0 255.255.255.248 140.175.200.0 255.255.255.0

Then reference the policy NAT subnet in your crypto access-list

access-list cryptoACL permit ip 7.5.210.0 255.255.255.248 205.100.150.0 255.255.255.0

access-list cryptoACL permit ip 7.5.210.0 255.255.255.248 140.175.200.0 255.255.255.0

I know you wanted to just use 4 addresses but summarizing them in to a /29 is much easier than having individual policy NAT configurations.  Just make sure that static is placed above any existing statics that may use the same internal addresses. 

282
Views
0
Helpful
1
Replies
CreatePlease login to create content