Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA 5520 IPSec NAT question

I have like over 150 VPN's on my ASA 5520.  One specific customer I am setting up a VPN with has an overlap with two of the IP's he needs to reach from his internal network.  He is NATing his internal network to 10.251.11.177 so traffic getting to my ASA is presenting itself as 10.251.11.177 from the 10.251.11.176/29 network.  Now the two IP's from his internal network he needs to reach are 10.1.254.200 and 10.1.254.201.

So following some documentation on Cisco website I am trying to do Policy Based Routing on the ASA 5520 (my end) so that his traffic goes to 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201.  Once it reaches my ASA 5520 it gets tranlated back to those IP's.

I'm trying to use the following configuration but when I try to add the static entries it won't let me add them.  I even tried "static (outside,inside) 1.1.1.1 access-list POLICYNAT" with the ACL in reverse but no use.

object-group network VPN-MAP

network-object host 1.1.1.1

network-object host 1.1.1.2

!

access-list POLICYNAT extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT

static (inside,outside) 1.1.1.2 access-list POLICYNAT

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

ASA 5520 IPSec NAT question

Try splitting the IPs into two ACLs

access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT1

static (inside,outside) 1.1.1.2 access-list POLICYNAT2

HTH

Shijo George

3 REPLIES
Bronze

ASA 5520 IPSec NAT question

Try splitting the IPs into two ACLs

access-list POLICYNAT1 extended permit ip host 10.1.254.200 10.251.11.176 255.255.255.248

access-list POLICYNAT2 extended permit ip host 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside,outside) 1.1.1.1 access-list POLICYNAT1

static (inside,outside) 1.1.1.2 access-list POLICYNAT2

HTH

Shijo George

ASA 5520 IPSec NAT question

Thank you for the reply, when I do that ASA accepts the Static commands but when I look at the config I don't see those commands there at all.

ASA 5520 IPSec NAT question

Sorry there was an issue with a typo that worked it needed to be split .  Thank you so much.

572
Views
0
Helpful
3
Replies
CreatePlease to create content