Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

How to nat subnets before establishing site to site ipsec vpn tunnel?

Hello,

Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.

Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.

Existing device: Cisco 5510 where I need to do this NAT.

Existing scenario in short: I have created vlans on asa by creating sub interfaces.

Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0

Done ipsec vpn setup inc phase 1 & 2.

Now tried to ping remote hosts but not reachable.

Pls advice how to make it work.

I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.

5 REPLIES
Super Bronze

How to nat subnets before establishing site to site ipsec vpn tu

Hi,

Can you clarify the setup a bit.

I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.

Later on it seems that you have configured this to some interface on the ASA?

So are you attempting to NAT some other LAN networks to this single NAT network before the traffic heads to the L2L VPN connection on your ASA?

Can you then mention what are the source networks and source interfaces for these networks? What is the destination network at the remote end of the L2L VPN connection?

Do you want to just do a NAT Pool of the 192.168.50.0/24 network for all your Internet users OR does the remote end also have to be able to connect to some of your sites hosts/servers?

What is the software version of your ASA?

- Jouni

Community Member

Re: How to nat subnets before establishing site to site ipsec vp

Hello. Pls find my answers inline

I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.

Answer: Thats correct.

Later on it seems that you have configured this to some interface on the ASA?

Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.

So  are you attempting to NAT some other LAN networks to this single NAT  network before the traffic heads to the L2L VPN connection on your ASA?

Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.

Can  you then mention what are the source networks and source interfaces for  these networks? What is the destination network at the remote end of  the L2L VPN connection?

Answer:    Source networks =  10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series.  Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.

Do  you want to just do a NAT Pool of the 192.168.50.0/24 network for all  your Internet users OR does the remote end also have to be able to  connect to some of your sites hosts/servers?

Answer:  Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.

The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me.

Re:How to nat subnets before establishing site to site ipsec vpn

What version of code is on your ASA? The NAT configuration completely changed from 8.2 to 8.3.

Regards,
Mike


Sent from Cisco Technical Support Android App

Community Member

Re: How to nat subnets before establishing site to site ipsec vp

Yes. ASA 8.3 version looks more complex  to me.

I am having following versions in my ASA 5510 >>

ASA version 8.3(1)

ASDM version 6.3(1)

Re: How to nat subnets before establishing site to site ipsec vp

I actually prefer the 8.3+ NAT configuration. It's a lot more intuitive when you get used to it. Here's a sample config that I believe will work, but I have not had a chance to throw it up in the lab yet. Feel free to change any of this to suit your needs.

object-group network Private-Networks

   network-object 10.100.0.0 255.255.0.0

   network-object 192.168.222.0 255.255.255.0

object-group network NATTED-Private-Network

   network-object 192.168.50.0 255.255.255.0

object-group network Destination-VPN-Networks

   network-object 192.168.228.0 255.255.255.0

   network-object 192.168.229.0 255.255.255.0

nat (inside,outside) source dynamic Private-Networks NATTED-Private-Networks destination static Destination-VPN-Networks Destination-VPN-Networks

This should utilize the 192.168.50/24 network as a dynamic NAT pool. If you prefer to use the subnet as a dynamic PAT pool, use the following NAT configuration:

nat (inside,outside) source dynamic Private-Networks pat-pool NATTED-Private-Networks destination static Destination-VPN-Networks Destination-VPN-Networks

Also note, when defining your access-list for VPN traffic, in 8.3+ you still need to use the mapped IP addresses. The ASA uses the access-list to determine the phase 2 SAs and doesn't perform NAT prior to bringing up phase 2. This is the opposite of normal interface access-lists in 8.3+.

Regards,

Mike

Please remember to rate helpful posts.

1395
Views
0
Helpful
5
Replies
CreatePlease to create content