Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ipsec VPN running but need to configure NAT

I just stablished an IPsec VPN with one of our prividers, the VPN get's stablished but one of the IPs in my lan is in conflict with a device in my providers side. I'm trying to configure NAT to avoid the conflict but I'm clueless on the steps to do it.

This is part of my current configuration

object-group network customer_outside

network-object X.X.X.X 255.255.255.248

object-group network customer_inside

network-object 192.168.1.210 255.255.255.255

network-object 192.168.1.25 255.255.255.255 -> conflicting IP

network-object 192.168.1.38 255.255.255.255

access-list customer_acl extended permit ip object-group customer_outside object-group customer_inside

crypto ipsec transform-set customer_ts esp-3des esp-sha-hmac

crypto map customer 10 match address customer_acl

crypto map customer 10 set peer Y.Y.Y.Y

crypto map customer 10 set transform-set customer_ts

crypto map customer 10 set security-association lifetime seconds 3600

crypto map customer interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group Y.Y.Y.Y type ipsec-l2l

tunnel-group Y.Y.Y.Y ipsec-attributes

pre-shared-key *

Thanks for your help.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ipsec VPN running but need to configure NAT

Hello Rafael,

You can do it with a policy nat:

access-list TEST permit ip host  192.168.1.25   X.X.X.X 255.255.255.248

static (inside,outside)  192.168.20.25 access-list TEST.

As nat goes first than the crypto for the VPN traffic, you will need to include in the Crypto ACL the traffic from the natted ip address ( in this case 192.168.20.25).

Regards,

Do rate all the helpful posts

Julio

Security Engineer

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
4 REPLIES
New Member

Re: Ipsec VPN running but need to configure NAT

What is the version of the Asa, is it greater then 8.3 and could you nat the ip to a outside ip or do u have a ip that you would like to use.

Sent from Cisco Technical Support iPad App

New Member

Re: Ipsec VPN running but need to configure NAT

The ASA version is 8.2(1) and I just want to NAT it to a private IP like 192.168.20.25, etc.

Re: Ipsec VPN running but need to configure NAT

Hello Rafael,

You can do it with a policy nat:

access-list TEST permit ip host  192.168.1.25   X.X.X.X 255.255.255.248

static (inside,outside)  192.168.20.25 access-list TEST.

As nat goes first than the crypto for the VPN traffic, you will need to include in the Crypto ACL the traffic from the natted ip address ( in this case 192.168.20.25).

Regards,

Do rate all the helpful posts

Julio

Security Engineer

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Ipsec VPN running but need to configure NAT

Julio:

Thanks for the help, the VPN is working now. Only one thing I have to add, at the beginning, it took me a while to make it work until I found there was a NAT exception rule that overrule the static command, once I removed the excpetion everything worked as I wanted.

Regards,

Rafael

369
Views
0
Helpful
4
Replies