Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L-VPN with inbound NAT

Cisco ASA (site-A) with 2 L2L-VLNs (let's call to Site-B and Site-C)

I need to "inbound-nat" the network of Site-C.

Let me better explain:

- The site-B (10.14.63.0/24) only accepts traffic from the LAN of site-A (10.1.6.0 /24), and I can not change the VPN.

- Now I have connected the site-C to the Site-A, and this should also communicate with the site-B

- So I thought I have to nat the Network of Site-C  (10.168.3.0 /24) in order to present it with an IP of Site-A.

Possible?

And how do I configure the ASA in Site-A?

Thanks

Claudio

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

L2L-VPN with inbound NAT

Hi,

What is the software level on the Site A ASA?

- Jouni

Super Bronze

Re: L2L-VPN with inbound NAT

Hi,

So there is no ASA at the moment on Site A?

Well if we are to look at the NAT configuration needed for the connections from one L2L VPN connection to the other L2L VPN then it would probably look something like this

object network SITE-C

subnet 10.168.3.0 255.255.255.0

object network SITE-B

subnet 10.14.63.0 255.255.255.0

object network SITE-A-PAT

host 10.1.6.x

nat (outside,outside) source dynamic SITE-C SITE-A-PAT destination static SITE-B SITE-B

For the PAT IP address you should naturally choose an IP address that is not currently in use on any device and is reserved only for this purpose.

You would also need this command on Site A ASA

same-security-traffic permit intra-interface

The purpose of the above command is that the traffic can move from "outside" to "outside" which in this case would be the traffic going from one L2L VPN to the other L2L VPN.

You would also need to configure the Crypto ACL between Site A and Site C so that Site A has the Site B as source and Site C has Site B as destination so that the traffic is forwarded to Site A first.

In the ACL form it would be for example

access-list L2LVPN permit ip 10.168.3.0 255.255.255.0 10.14.63.0 255.255.255.0

You would naturally have to have the ACL statement for the Site A <-> Site C traffic too. The above is just the one needed to forward traffic from Site C to Site A.

Hope this helps

- Jouni

5 REPLIES
Super Bronze

L2L-VPN with inbound NAT

Hi,

What is the software level on the Site A ASA?

- Jouni

Super Bronze

L2L-VPN with inbound NAT

Uhmm,

Did you click the wrong button as I didnt answer anything yet 

- Jouni

New Member

L2L-VPN with inbound NAT

It will be a brand new one (9.1.x).

Now there is a Zywall I want to replace

Super Bronze

Re: L2L-VPN with inbound NAT

Hi,

So there is no ASA at the moment on Site A?

Well if we are to look at the NAT configuration needed for the connections from one L2L VPN connection to the other L2L VPN then it would probably look something like this

object network SITE-C

subnet 10.168.3.0 255.255.255.0

object network SITE-B

subnet 10.14.63.0 255.255.255.0

object network SITE-A-PAT

host 10.1.6.x

nat (outside,outside) source dynamic SITE-C SITE-A-PAT destination static SITE-B SITE-B

For the PAT IP address you should naturally choose an IP address that is not currently in use on any device and is reserved only for this purpose.

You would also need this command on Site A ASA

same-security-traffic permit intra-interface

The purpose of the above command is that the traffic can move from "outside" to "outside" which in this case would be the traffic going from one L2L VPN to the other L2L VPN.

You would also need to configure the Crypto ACL between Site A and Site C so that Site A has the Site B as source and Site C has Site B as destination so that the traffic is forwarded to Site A first.

In the ACL form it would be for example

access-list L2LVPN permit ip 10.168.3.0 255.255.255.0 10.14.63.0 255.255.255.0

You would naturally have to have the ACL statement for the Site A <-> Site C traffic too. The above is just the one needed to forward traffic from Site C to Site A.

Hope this helps

- Jouni

New Member

L2L-VPN with inbound NAT

OK, thanks for the solution - it looks like a well working one .

Now I just have to convince the customer to throw away his trap and put in a serious firewall (an ASA, obviously)

Claudio

164
Views
0
Helpful
5
Replies