Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1336
Views
0
Helpful
3
Replies

LAN to LAN VPN with NAT --- Resolved!

Go to solution
es-netops
Level 1
Level 1

‎09-02-2010 09:17 AM

Hi Everyone,

I am having issues with a L2L VPN that is set up and connected, however when traffic comes in from the other side of the tunnel it does not make it to the Inside network host that is being static NATed. The inside host 172.18.30.225 is being NATted to yyy.30.49.14 which is an IP Address on the DMZ Interface (yyy.30.49.0 255.255.255.240).

Here is the configuration


object-group network NET-Tunnel
  network-object host xxx.220.129.134

access-list Tunnel--ACL extended permit ip host yyy.30.49.14 object-group NET-Tunnel

crypto map MAP_Tunnel 20 match address Tunnel-ACL


object network Tunnel-iServer-NAT
host yyy.30.49.14
object network Tunnel-iServer-Host
host 172.18.30.225


object network Tunnel-iServer-Host
nat (Internal,DMZ) static Tunnel-iServer-NAT

I hope this is sufficient enough for someone to help me.

Thanks,

M

Version 8.3.1 ASA

Message was edited by: Network Operations

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lawchung
Cisco Employee
Cisco Employee

‎09-02-2010 09:59 AM

Does the Internal host live on the DMZ network or Internal network? If it actually lives on the Internal network then you cannot NAT it to the DMZ interface and have it going out the outside Interface assuming the outside interface is the VPN termination interface. If you are terminating the VPN on the DMZ interface and the internal host lives on the Internal network then that is fine.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
lawchung
Cisco Employee
Cisco Employee

‎09-02-2010 09:59 AM

Does the Internal host live on the DMZ network or Internal network? If it actually lives on the Internal network then you cannot NAT it to the DMZ interface and have it going out the outside Interface assuming the outside interface is the VPN termination interface. If you are terminating the VPN on the DMZ interface and the internal host lives on the Internal network then that is fine.

0 Helpful

Go to solution
es-netops
Level 1
Level 1
In response to lawchung

‎09-02-2010 10:02 AM

Hi Thanks for your reply.

The Internal host lives in the Internal and the tunnel terminates on the Outside interface, What should I do to make this work?

Thanks,

M

0 Helpful

Go to solution
es-netops
Level 1
Level 1
In response to es-netops

‎09-03-2010 08:37 AM

This thread can be closed. I moved the NAT from out of the DMZ to an IP that was bound to the inside.

It now works.

Mods. Please close this thread.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents