Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
3
Replies

ASA L2L VPN with destination NAT can't get to work

Richard Bradfield
Level 6
Level 6

‎08-23-2017 04:27 PM - edited ‎03-12-2019 04:29 AM

WE have a third party remote site which we connect to via L2L VPN, that is ok if not doing any NAT on the remote subnet.

But we are going to have the same subnet within our network, so we need to NAT the remote subnet address, this is where I am getting problems.

so the NAT for this will be

Nat(inside,outside) source static Local-Lan Local-Lan destination static Remote-Nat  Remote-Real no-proxy-arp

Now looking at various documents it says in this case the NAT is done before the interesting traffic ACL

so the  Intersting traffic ACL should be

access-list local-remote extended permit ip object Local-Lan object Remote-Real

 

but it does not work so if I changed the ACL to

access-list local-remote extended permit ip object Local-Lan object Remote-Nat

 

I see hits on the ACL but still not work

 

So it looks like the traffic hits the ACL before doing the NAT

There must be something simple I am missing

anybody help

thanks

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎08-23-2017 07:08 PM

Hi 

 

If you have overlapping you'll need to do the same thing on both side.

 

The goal isn't to nat only the destination but your local lan as well. 

Here a Cisco documentation explaining that situation: 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

 

If you have issue building this up, give me your subnets (real and natted) and will build the config for you. 

Thanks 

 

PS: Please don't forget to rate helpful answers


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Richard Bradfield
Level 6
Level 6
In response to Francesco Molino

‎08-23-2017 08:39 PM

Let me put more meat on this.

1) the remote site is 3rd party not able to change.

2) the addressing is not overlapping, just there is another subnet in out network with the same address as the 3rd party

I'll replace the objects with Ip addresses for clarity

nat (inside,outside) source static 10.10.10.x 10.10.10.x destination static 10.150.100.x 192.168.1.x

so accrding to what I have seen in other posts NAT takes place before the Crypto map ACL

so the  ACL should be

Access-list CORE-Remote extended permit ip 10.10.10.x  192.168.1.x

 

But it does not work!

BTW If I do not do any NAT translation go directly 10.10.10.x to 192.168.1.x  the VPN comes up ok.

 

0 Helpful

Richard Bradfield
Level 6
Level 6
In response to Richard Bradfield

‎08-23-2017 09:36 PM

have found the problem,

There was another nat statement that was causing the problem, diabled now ok

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents