Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Destination NAT over IPSEC VPN on ASA

We currently have the following scenario with 2 ipsec vpn tunnels setup.

inside LAN = 172.20.136.0/24

Remote Site1 internal LAN = 192.168.1.0/24

Remote Site2 internal LAN = 192.168.2.0/24

The VPN tunnels establish without any issues and I can connect to hosts 192.168.1.10 and 192.168.2.10.

However, to avoid the overlapping problems in the future, normally the Policy NAT is done on the remote end.  This cannot be done as our customers are resistant to make any policy NAT changes at their end.

Therefore, I want to 1:1 NAT  the remote end hosts to the following on my side so I am doing Destination NAT.

static (out,in) 192.168.1.10 172.23.0.1  netmask 255.255.255.255

static (out,in) 192.168.2.10 172.23.1.2  netmask 255.255.255.255

In this case our internal 172.20.136.0/24 will connect to IP addresses 172.23.0.1 or 172.23.1.2 rather than 192.168.1.10 or 192.168.2.10

However, when I try and ping/connect to the destination NATT'd addresses 172.23.0.1 or 172.23.1.2, I get NO reply.  The access-lists are implemented which says allows traffic from 172.20.136.0/24 to 172.23.0/24 and 172.23.1.0/24.

Can someone please confirm where I maybe going wrong.

2 REPLIES
Super Bronze

Destination NAT over IPSEC VPN on ASA

Hi,

It seems to me that the NAT configuration is otherwise correct but you have to switch the IP addresses the other way around.

The "static" commands format is

nat (sourceint,destint) netmask 255.255.255.255

So the commands should be

static (out,in) 172.23.0.1 192.168.1.10 netmask 255.255.255.255

static (out,in) 172.23.1.2 192.168.2.10 netmask 255.255.255.255

With a little modification you could also configure this as Static Policy PAT that would apply this NAT only when the traffic is between your LAN and these specific hosts but then again I am not sure if its needed in this case.

Hope this helps

- Jouni

New Member

Destination NAT over IPSEC VPN on ASA

Sorry my original statements should have read as: -

static (out,in) 172.23.0.1 192.168.1.10 netmask 255.255.255.255

static (out,in) 172.23.1.2 192.168.2.10 netmask 255.255.255.255

As it is 182.168.1.x on the outside and 17.23.0.1 or 1.2 on the inside.

351
Views
0
Helpful
2
Replies
CreatePlease to create content