Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT IPSEC site-to-site VPN ASA 8.4

My goal is to create a VPN from me (61.227.106.64) to a vendor (9.105.8.204) using an ASA 5510 with 8.4 on it. The vendor's private LANs are 10.134.115.0/24 and 10.135.115.0/24. My private LAN is 10.11.102.0/24 but I want to NAT it to 61.227.106.70.

Is the following config correct?

ASA Version 8.4(2)

interface Ethernet0/0

nameif LAN

security-level 0

ip address 10.241.1.61 255.255.255.0

!

interface Ethernet0/1

nameif WAN

security-level 0

ip address 61.227.106.64 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network CareOneTSFarm

  subnet 10.11.102.0 255.255.255.0

object network Core_NAT

host 61.227.106.70

object network NAT_to_outside

  subnet 0.0.0.0 0.0.0.0

object-group network Core_LAN

  network-object 10.134.115.0 255.255.255.0

  network-object 10.135.115.0 255.255.255.0

access-list VPNCore extended permit ip object CareOneTSFarm object-group Core_LAN

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

!

object network NAT_to_outside

nat (LAN,WAN) dynamic interface

route WAN 0.0.0.0 0.0.0.0 61.227.106.1 1

route LAN 10.11.0.0 255.255.0.0 10.241.1.1 1

crypto ipsec ikev1 transform-set AES256_SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map VPN 50 match address VPNCore

crypto map VPN 50 set peer 9.105.8.204

crypto map VPN 50 set ikev1 transform-set AES256_SHA

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto map VPN interface WAN

tunnel-group 9.105.8.204 type ipsec-l2l

tunnel-group 9.105.8.204 ipsec-attributes

  ikev1 pre-shared-key *****

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

NAT IPSEC site-to-site VPN ASA 8.4

This NAT line:

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

should be:

nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

And the VPNCore ACL should match the NATed IP instead of the real IP:

access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN

1 REPLY
Cisco Employee

NAT IPSEC site-to-site VPN ASA 8.4

This NAT line:

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

should be:

nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

And the VPNCore ACL should match the NATed IP instead of the real IP:

access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN

3595
Views
4
Helpful
1
Replies