05-09-2007 06:00 AM
Hi, my customer has a l2l tunnel between ASA outside and a router. He also wants to nat on outside to translate
incoming addresses onto outside interface to inside interface. This is the opposite as it is done normally.
The tunnel comes up but no data traffic is possible.
May he have a conflict as tunnel ends on outside and nat is also on outside?
Does anybody have an idea?
Regards Guenther
05-09-2007 06:15 AM
Could you post clean ASA config?
05-09-2007 06:40 AM
Hi Guenther
If i understand correctly yes it can be done. We have this setup on one of our firewalls.
Basically NAT is done after the IPSEC when coming from outside to inside so an example
This is your crypto map access-list
access-list customer1 permit ip 10.182.179.0 255.255.255.0 host 172.16.5.1
You could then have the following
nat (outside) 1 172.16.5.1 255.255.255.255 outside
global (inside) 1 interface
This should work. I have not actually used the inside interface for NAT as i chose a separate subnet for the translations ie
nat (outside) 1 172.16.5.1 255.255.255.255 outside
global (inside) 1 10.157.200.1
but i can't see why you are trying wouldn't work.
HTH
Jon
05-11-2007 01:08 AM
Hi, thanks for feedbacks. My customer got it working when he removed nat-control. Strange, but he will not do any more testing and keep it running as it works now. Regards Guenther
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: