05-06-2010 07:36 PM
Hi All, I have to connect a L2L to another company however, they want us to NAT our internal host to another subnet. There may be some address conflicts on there side. They want us to Nat my 192.168.200.0 subnet to 10.10.12.0 subnet. All class C's for the L2L.
192.168.200.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.10.0
(10.10.12.0)
Any suggestions on how I can get this to work? I know that it will require some access lists just not a 100% on the access lists and I'm trying to minimize and down time, right now we are just doing the standard nating for inside hosts to a couple of global IP address for Internet traffic.
thanks...
Daniel
Solved! Go to Solution.
05-06-2010 07:42 PM
Here is what can be configured:
access-list static-to-L2L permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
static (inside,outside) 10.10.12.0 access-list static-to-L2L
If you already have NAT exemption configured from 192.168.200.0/24 to 192.168.10.0/24, you would need to remove that because NAT exemption takes precendence over static translation.
Further to that, you would also need to change your crypto ACL to be sourced from 10.10.12.0/24 instead of 192.168.200.0/24, and the peer ASA also needs to change the crypto ACL to source from 192.168.10.0/24 towards 10.10.12.0/24 as follows:
Your crypto ACL: access-list cryptoACL permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0
Peer crypto ACL: access-list cryptoACL permit ip 192.168.10.0 255.255.255.0 10.10.12.0 255.255.255.0
Hope that helps.
05-06-2010 07:42 PM
Hi Daniel,
On your ASA you will require the following:
access-list NAT permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
static (in,out) 10.10.12.0 access-list NAT
access-list CRYPTO permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0
The above configuration works like this:
There will be a translation from your internal network 192.168.200.0/24 when going to 192.168.10.0/24 to network 10.10.12.0/24
In other words, communication through the tunnel will be between 10.10.12.0/24 and 192.168.10.0/24
The CRYPTO ACL is defining the interesting traffic applied to the VPN.
Hope it helps.
Federico.
05-06-2010 07:42 PM
Here is what can be configured:
access-list static-to-L2L permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
static (inside,outside) 10.10.12.0 access-list static-to-L2L
If you already have NAT exemption configured from 192.168.200.0/24 to 192.168.10.0/24, you would need to remove that because NAT exemption takes precendence over static translation.
Further to that, you would also need to change your crypto ACL to be sourced from 10.10.12.0/24 instead of 192.168.200.0/24, and the peer ASA also needs to change the crypto ACL to source from 192.168.10.0/24 towards 10.10.12.0/24 as follows:
Your crypto ACL: access-list cryptoACL permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0
Peer crypto ACL: access-list cryptoACL permit ip 192.168.10.0 255.255.255.0 10.10.12.0 255.255.255.0
Hope that helps.
05-06-2010 07:42 PM
Hi Daniel,
On your ASA you will require the following:
access-list NAT permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
static (in,out) 10.10.12.0 access-list NAT
access-list CRYPTO permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0
The above configuration works like this:
There will be a translation from your internal network 192.168.200.0/24 when going to 192.168.10.0/24 to network 10.10.12.0/24
In other words, communication through the tunnel will be between 10.10.12.0/24 and 192.168.10.0/24
The CRYPTO ACL is defining the interesting traffic applied to the VPN.
Hope it helps.
Federico.
05-24-2010 10:44 AM
Thanks Guys this was exactley what I needed.
-Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: