Solved: Cisco ASA NAT/VPN

Cisco eng · ‎08-17-2012

Hello,

I've a question about a Cisco ASA.

We are trying to build up a VPN connection with a supplier of ours using the subnet 172.16.1.0/24 now they already have an other customer using 172.16.1.0/24 so we have to NAT the traffic to a different subnet before connecting to the supplier. Is this possible? If so how can I configure something like that?

172.16.1.0/24 is also used to get to the internet.

This is what I have at the moment:

!

access-list internet_cryptomap_2 extended permit ip 192.168.0.0 255.255.252.0 (supplier subnet)

!

crypto map internet_map1 3 match address internet_cryptomap_2

crypto map internet_map1 3 set peer (supplier IP address)

crypto map internet_map1 3 set transform-set tubis-transformset

crypto map internet_map1 3 set reverse-route

!

This VPN is working, but only for the subnet listed in the cryptomap_2 unfortunatly I can't use 172.16.1.0/24 for this.

Does anyone have any ideas how to solve this?

Regards,

Tom

Jennifer Halim · ‎08-17-2012

Yes you can..

Assuming that you would like to NAT 172.16.1.0/24 to 10.16.1.0/24 when accessing the supplier subnet 192.168.0.0

access-list static-nat-to-supplier permit ip 172.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0

static (inside,outside) 10.16.1.0 access-list static-nat-to-supplier

access-list internet_cryptomap_2 extended permit ip 10.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0

Assuming that you have ASA 8.2 or lower.

Otherwise, ASA 8.3 or higher:

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

object network obj-10.16.1.0

subnet 10.16.1.0 255.255.255.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.252.0

nat (inside,outside) source static obj-172.16.1.0 obj-10.16.1.0 destination static obj-192.168.0.0 obj-192.168.0.0

View solution in original post

Jennifer Halim · ‎08-17-2012

Yes you can..

Assuming that you would like to NAT 172.16.1.0/24 to 10.16.1.0/24 when accessing the supplier subnet 192.168.0.0

access-list static-nat-to-supplier permit ip 172.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0

static (inside,outside) 10.16.1.0 access-list static-nat-to-supplier

access-list internet_cryptomap_2 extended permit ip 10.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0

Assuming that you have ASA 8.2 or lower.

Otherwise, ASA 8.3 or higher:

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

object network obj-10.16.1.0

subnet 10.16.1.0 255.255.255.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.252.0

nat (inside,outside) source static obj-172.16.1.0 obj-10.16.1.0 destination static obj-192.168.0.0 obj-192.168.0.0

abcdrohan · ‎08-17-2012

Make sure that traffic from 172.16.1.0 255.255.255.0 to192.168.0.0 255.255.252.0 is NOT in the nat excemption acl

Jennifer Halim · ‎08-17-2012

Ah ok.. so in your case, you would like to NAT 172.16.1.0/24 to 10.50.0.0/24, when accessing your supplier subnet on 85.90.68.160/28

access-list static-nat-to-supplier permit ip 172.16.1.0 255.255.255.0 85.90.68.160 255.255.255.240

static (inside,outside) 10.50.0.0 access-list static-nat-to-supplier

access-list internet_cryptomap_2 extended permit ip 10.50.0.0 255.255.255.0 85.90.68.160 255.255.255.240

Also, you would need to ensure that your supplier crypto ACL also has the mirror image ACL configured, ie:

access-list extended permit ip 85.90.68.160 255.255.255.240 10.50.0.0 255.255.255.0

Jennifer Halim · ‎08-18-2012

The following static NAT statement should be changed:

FROM:

static (internet,lan) 10.50.0.0 access-list static-nat-to-tubis

TO:

static (lan,internet) 10.50.0.0 access-list static-nat-to-tubis

This ACL should be removed:

access-list lan_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 85.90.68.160 255.255.255.240

Then "clear xlate" after the above changes.