Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
5
Helpful
4
Replies

Policy NAT thru VPN

steve0miller
Level 1
Level 1

‎10-07-2009 01:07 PM

Hi all,

I have a ASA with these settings:

Internal Network: 192.168.1.0 /24

External Interface: AA.183.142.222

Our vendor has an ASA with these settings:

Internal Network: 192.168.50.0 /24

External Interface BB.179.80.108

We wish to create a L2L VPN with our vendor. They require us that when our Internal traffic goes thru the VPN tunnel, that it must be translated to 10.1.0.8/32. So in other words, traffic sourcing from OUR internal network that is destined to the vendor internal network must seem to them like it's coming from 10.1.0.8/32.

A simple diagram would be like so:

192.168.1.0/24---->translate to 10.1.0.8 only for this VPN tunnel---->192.168.50.0/24 (vendor int. network)

Below is how I think I should configure my ASA. Any suggestions would be appreciated.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address AA.183.142.222 255.255.255.224

!

access-list E-MD extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 5 10.1.0.8 netmask 255.255.255.255

nat (inside) 5 access-list policy-nat

!

crypto map outside_map 20 match address E-MD

crypto map outside_map 20 set peer BB.179.80.108

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

!

tunnel-group BB.179.80.108 type ipsec-l2l

tunnel-group BB.179.80.108 ipsec-attributes

pre-shared-key XXXXXXXx

Thanks,

SM

Labels:
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎10-08-2009 01:25 AM

You config is almost there - now you need to not 're-nat' the VPN traffic after you have already policy natt'd it, add:-

nat (inside) 0 access-list E-MD

This will not nat the traffic from 10.1.0.8 to 192.168.50.0/24 as it enters the VPN tunnel.

Remove:-

global (outside) 5 10.1.0.8 netmask 255.255.255.255

This is not required.

HTH>

steve0miller
Level 1
Level 1
In response to andrew.prince

‎10-08-2009 05:40 AM

Thank you for the suggestion!

0 Helpful

andrew.prince
Level 10
Level 10
In response to steve0miller

‎10-08-2009 05:45 AM

np - glad to help.

0 Helpful

atpham
Level 1
Level 1

‎10-08-2009 08:36 AM

I used ASDM to create it. You can convert to fit your ACL names.

access-list inside_nat0_outbound extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 5 10.1.0.8 netmask 255.255.255.255

nat (inside) 5 access-list inside_nat_outbound

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer BB.xx.xx.xx

crypto map outside_map 2 set transform-set ESP-3DES-MD5

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents